Machine-based MFA
Machine-based MFA is a setting intended to protect business-critical machines in an organization by preventing them from being compromised.
How does Machine-based MFA work?
When Machine-based MFA is enforced for a particular machine, any user trying to access the machine has to prove their identity using MFA to successfully log in. The MFA authenticators in the prompt will be based on the authenticators configured for the user in the MFA for Machine Login section.
When this setting is enabled, users will not be allowed to log in to the machine on which Machine-based MFA is enforced if:
- The ADSelfService Plus server is not reachable.
- The user account is restricted in ADSelfService Plus.
- The user does not belong to any policy that has MFA for Machine Login configured.
- The user has not enrolled for any of the authenticators configured in the MFA for Machine Login (both online and offline MFA) section, regardless of the Force enrollment option enabled for the user policy.
- The user license consumption limit has been exceeded or Endpoint MFA has not been purchased. To purchase -Endpoint MFA, click here.
However, users who have selected the Trust this machine setting on the login screen will be allowed to log in to the machine without performing MFA for the specified duration after initial identity verification.
Note: Make sure to update the login agent to the following latest versions for proper enforcement of MFA: Windows 5.10, macOS 1.7, or Linux 2.4 and above. If an older version of the login agent is installed on the machine, and the ADSelfService Plus server is not reachable, the user will be allowed to access the machine if the Skip MFA when ADSelfService Plus server is down or unreachable option is enabled.
Steps to enforce Machine-based MFA
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.
- Select the required domain from the drop-down list.
- Select the machines on which you want to enforce Machine-based MFA.
- Click Manage MFA and select Enforce.
Steps to exempt a machine from Machine-based MFA
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.
- Select the required domain from the drop-down list.
- Select the machine that you want to exempt from Machine-based MFA.
- Click Manage MFA and select Exempt.
Advanced Machine MFA Settings
ADSelfService Plus allows admins to enable MFA during specific usage scenarios for Windows machines. To request this feature for Mac or Linux, click here.
The authenticators in the prompts for the enabled scenarios will be based on the MFA factors configured in the MFA for Machine Login section. The settings enabled here will be applied to all Windows machines where the ADSelfService Plus login agent is installed.
Windows MFA settings
MFA settings for Windows machines
The Windows MFA Settings section of the Advanced Machine MFA Settings page gives admins granular control over MFA prompts initiated on Windows machines. MFA can be enabled or disabled for interactive logins via the GUI, User Account Control, and Remote Desktop Protocol (RDP) as well as every time a machine is unlocked.
MFA for GUI logins on Windows machines
When this setting is enabled, MFA will be required during interactive or GUI-based logins on Windows machines. Users will be able to perform subsequent actions only upon successful identity verification.
Note: MFA for interactive logins to Windows servers requires the
Professional Edition of ADSelfService Plus with Endpoint MFA. If not, MFA will be bypassed on Windows servers.
To enable this setting:
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
- Select Enable MFA during interactive logons to Windows machines via the GUI.
MFA for User Account Control
When this setting is enabled, MFA will be required for all User Account Control (UAC) credential prompts, and the user will be able to perform the desired action only upon successful identity verification. This setting is compatible with Windows 7 and above and Windows Server 2008 and above. This setting is supported by version 5.10 and above of the ADSelfService Plus Windows login agent.
Note: Actions performed by selecting the Run as a different user option will not require credentials as prompted for by other UAC actions.
To enable this setting:
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
- Select Enable MFA for User Account Control.
MFA for Remote Desktop Access
The admin can configure MFA to be required when establishing connections with machines through the RDP. This will ensure that RDP connections to machines are secured with an additional layer of authentication.
There are two ways in which MFA can be configured for Remote Desktop access:
- RDP server authentication
When this setting is enabled, all incoming Remote Desktop connections to Windows machines where the ADSelfService Plus login agent is installed will be authenticated and protected using MFA.
- RDP client authentication
This setting can be enabled to require MFA for all outgoing Remote Desktop connections via the Windows Remote Desktop application (mstsc.exe) on machines where the ADSelfService Plus login agent is installed. This setting is supported by version 5.10 and above of the ADSelfService Plus Windows login agent. This setting is applicable for Windows 7 and above and Windows Server 2008 and above.
Note/Tip: With RDP client authentication, you can protect remote access using MFA only for users accessing the machine from the internet or other public IP addresses via Remote Desktop Gateway (RD Gateway) by configuring a conditional access rule with IP restrictions. Click here to learn more about
conditional access.
To enable MFA for RDP client authentication, the following prerequisites need to be satisfied:
- Network-level authentication needs to be enabled. You can enable network-level authentication via Group Policy by navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security..
- To require MFA for Remote Desktop connections in a multi-forest AD environment, there must be a trust relationship between the two domains. Domain trusts can be added between forests either through a forest trust (a trust relationship at the forest level) or through an external trust (a trust relationship at the domain level). For steps to configure a trust relationship, please refer to this document.
To enable MFA for RDP server and RDP client authentication:
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
- Select Enable MFA for Remote Desktop access during and check the RDP server authentication or RDP client authentication check boxes based on the scenario during which you want MFA to be required.
Note: Enabling both RDP server and RDP client authentication may lead to double verification if the ADSelfService Plus login agent is installed on both the server and client machines. For example, if Google Authenticator is the configured MFA authenticator, and both RDP server and client authentication are enabled, then the user will be required to perform identity verification using the code both before establishing a connection with the remote machine and again after establishing the connection.
MFA for machine unlocking
Enabling this setting will enforce MFA during Windows machine unlocking..
To enable this setting:
- Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
- Select Enable MFA when unlocking Windows machines.
Copyright © 2024, ZOHO Corp. All Rights Reserved.