ManageEngine ADSelfService Plus: Protect On-Premises and Cloud Services from Password Attacks with Multi-factor Authentication

Security

Advanced password attacks, like brute force and those launched by malicious insiders, are devastating the security of today’s enterprises and cloud services. ADSelfService Plus from ManageEngine can protect web properties from such attacks with multi-factor authentication (MFA).

Multi-factor authentication is the best way to protect Active Directory and cloud-based user accounts

As the impacts of cybersecurity attacks have increased, and the vectors malicious actors utilities  continue to grow, it is important to keep one step ahead in network security and enterprise environments. This includes your Active Directory (AD) and cloud-based identity solutions like Microsoft 365/Azure Active Directory (AAD).

This post is sponsored by ManageEngine

Multi-factor authentication is a relatively intuitive acronym. Think of a factor as an identifier you use to prove who you are. The most common factor is a password. When you sign in with a username, you need to prove to the authentication engine that you are authorized to use that username. And only you. And that the associated password matches that held for the account in the database. Going back to how things were from the start, the password was essential and it was the only factor you needed to access ‘secure’ systems.

Today, passwords can be impersonated, guessed, and cracked. So, we progressed logically by inventing and eventually requiring a second (or third) factor, thus multi-factor authentication was born. The additional factors can be push notifications to the Microsoft Authenticator app, a physical security key (YubiKey, for example), a fingerprint, or an SMS text response.

Thankfully, a solution exists that checks all the boxes required, plus a few nice perks – ADSelfService Plus from ManageEngine.

Why can multi-factor authentication be difficult to deploy for on-premises Active Directory?

When everyone essentially worked in the office, most of your users and computers were on the corporate Local Area Network (LAN). Everyone was readily available and on your network if you needed to deploy a new security solution with Active Directory. In today’s hybrid-enabled workforce, many of your employees are likely working from home. Some employees may even be in remote areas, geographically spread out, making it nearly impossible to get them on the LAN.

How do you get all your computers on this new solution?

In addition, Microsoft does not offer any native solutions for using MFA with Active Directory. There are no specific APIs available for developers. So, third-party software solutions were created. Or, you have the option of implementing Active Directory Federated Services (AD FS), which is time-consuming, difficult to learn, and adds a good deal of ‘older’ technology into your modern architecture.

Microsoft is pushing customers from on-premises Active Directory (AD) to Azure AD and its native MFA technology. But there must be a better solution…

The solution: What is ADSelfService Plus and how it makes multi-factor authentication easy to deploy and manage?

ADSelfService Plus is an identity security solution that can help secure your networks from many cyberattacks, save IT costs, and start your Zero Trust Security plan. With this full-featured solution, you can secure multiple IT resources including identities, computers, and Virtual Private Network (VPN), reduce the burden on your helpdesk, and empower users with many self-service capabilities.

Most importantly, you gain 360-degree visibility and control over your resources spread across on-premises, cloud, and hybrid scenarios.

Because ADSelfService Plus includes such a wide variety of authentication factors (19), it is much easier to rollout a security solution like this to your entire user base. Due to the accommodating design of the solution’s framework, you’re able to protect all of the ingress points in your environment, regardless of ‘where’ your users are located.

What is adaptive MFA (risk-based MFA)?

Adaptive MFA, otherwise known as risk-based MFA, provides users with authentication factors that adjust to the method they use to log in. A calculation of security risk is made with each attempt based on the following factors:

  • The physical location of the user requesting access.
  • The type of device (desktop/laptop PC, mobile device, tablet, RDP session, etc.).
  • The number of consecutive login failures.
  • The day of the week and the time of the day.
  • The IP address.

The authentication factors available to the user are adaptable based on these risk assessments. As an example, if a user, known to be on vacation, attempts a log in to the domain at their work desktop at 3 am, additional authentication factors will be required with this attempt, to make extra sure the user is who they say they are. If all things checkout, access is granted. If user activity is suspicious, access to network resources can be denied.

Windows Server Active Directory and Remote Desktop

With ADSelfService Plus’s MFA for Windows feature enabled, users are protected when logging into domain-joined computers (desktops, laptops) and servers, using Remote Desktop Protocol (RDP). This gives you the peace of mind that every login request to any computer on your domain will be MFA-protected.

MacOS and Linux

When you enforce MFA on macOS devices using ADSelfService Plus, every user is required to authenticate their identity via two factors before they can log into their device. Here are some benefits to your macOS users and devices:

  • MFA at a granular level – you can configure MFA based on a user’s domain, their Organizational Unit (OU), and even group membership levels.
  • Compliance with regulations – secure your macOS endpoints based on compliance mandates for NIST SP 800-63B, the NYCRR, the FFIEC, the GDPR, and HIPAA.
  • Conditional access – you can strengthen authentication based on the real time security risk by user.

ADSelfService Plus includes a feature to protect Linux devices as well. It builds an additional layer of security for the user login process. As with the other solutions mentioned, Linux users will log into workstations with their AD credentials and then a second factor including:

  • Fingerprint
  • Face ID
  • Duo Security
  • MS Authenticator
  • Google Authenticator
  • YubiKey
  • Email
  • SMS

Virtual Private Network (VPN) logins

Back in the day, VPNs were all the rage, rolled out by corporate IT security teams to protect remote user connections and file access using a secure tunnel into your LAN. Today, just typing in a username and password is sadly not enough. That is where MFAs for VPN come in.

ADSelfService Plus enables you to  secure your VPN connection endpoints for the most popular VPN client solutions, including:

  • Fortinet
  • Cisco IPSec
  • Cisco AnyConnect
  • Windows native VPN
  • Sonicwall
  • Pulse
  • Check Point
  • OpenVPN Access Server
  • Palo Alto
  • Juniper

SAML 2.0-enabled cloud applications

Cloud application proliferation has been on the rise for many years now. And yes, that introduces another login session for end users. By enabling single sign-on (SSO) between ADSelfService Plus and a wide range of cloud-based applications (SAML 2.0-enabled cloud applications) like Salesforce, Google Workspace, and Dropbox, you can secure these inroads into your data, too.

How users are protected logging into SAML 2.0-enabled cloud applications with ADSelfService Plus
How users are protected logging into SAML 2.0-enabled cloud applications with ADSelfService Plus
  • During SP-initiated SSO, users first access the cloud application by entering its URL directly in a browser. The cloud application then redirects the user to the ADSelfService Plus login page for authentication.
  • Users will need to enter their Active Directory domain credentials to prove their identity.
  • Next, users must authenticate themselves through the alternative authentication methods configured.
  • The user is now directly logged into the SSO-enabled cloud app!

Outlook Web Access (OWA) and Exchange Admin Center (EAC)

Instead of using the Outlook desktop application to access email, users have the option (unless restricted by IT policy) to use their web browser to access email via Outlook on the Web (OWA). Again, only using their email address and password is not secure. This is where the MFA feature in ADSelfService Plus helps. The product provides MFA for Outlook on the Web and the Exchange Admin Center (EAC). It implements additional authentication steps beyond the login and password.

Using ADSelfService Plus to login to Outlook on the Web & the Exchange Admin Center
Using ADSelfService Plus to login to Outlook on the Web & the Exchange Admin Center
  1. The user attempts to log into OWA or the EAC.
  2. The user is asked to complete the primary authentication on the OWA webpage.
  3. If this is successful, the OWA app passes a request to the ADSelfService Plus connector which informs ADSelfService Plus to request additional factors.
  4. If the user completes all requests successfully, they are logged in!

ADSelfService Plus installation requirements for Active Directory and endpoints

Let’s get into the weeds a bit here and go through some of the general system requirements for ADSelfService Plus.

Hardware Requirements

Here are the minimum and recommended hardware requirements for ADSelfService Plus:

Hardware

Minimum requirements

Recommended requirements

 
Processor


2.4 GHz


3 GHz


RAM


8 GB


16 GB


Disk Space


100 GB (SSD preferred)


200 GB (SSD preferred)

Table 1 – Hardware Requirement for installing ADSelfService Plus on a Windows computer

Software Requirements

The following server and client Windows versions are compatible with software installations and endpoint installations.

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
  • Windows Client
    • Windows 11
    • Windows 10

The installation process is straightforward. All you need to do is download the executable (EXE) file from this link, and run it on a Windows machine joined to your AD domain. There are some post-install security hardening steps you’ll need to run through – click here for that guide.

As an IT Pro, you can launch the service in your web browser by typing in http://hostname:8888/ in the address bar. The hostname will be the computer name of the device you installed the software on. Once you deploy the ADSelfService Plus login agent, users will be able to reset their password and/or unlock their account right from the login screen on their computers.

How users can reset their password and unlock their account right from the Login screen!
How users can reset their password and unlock their account right from the Login screen!

There are older server and client versions supported by ManageEngine, but as Microsoft does not support them, I will not include them here. You can get more information directly from ManageEngine.

What else can ManageEngine ADSelfService Plus do?

Besides the various MFA tools and features described, there are more features available in their suite. Let’s go through some of the hottest right here:

  • Self-service password reset
    • This allows users to reset passwords for their computers and enterprise applications themselves, on any domain-joined PC, any web browser, or their mobile device, if you have that option enabled.
  • Passwordless authentication
    • You can improve your user experience by enabling passwordless login for enterprise (cloud) applications. This allows users to use push notifications and number-matching technology without needing to remember (easily remembered) passwords.
  • Directory self-update
    • Allow your users a secure portal to update core AD profile attributes and information.
  • Reporting
    • Keep admins up-to-date on all your account password statuses through detailed reports. Get ahead of the game with proactive communications to your end users.
  • Learn about additional features by accessing this informative link!

Download a free trial of ManageEngine ADSelfService Plus and try out multi-factor authentication for yourself. If you’d like to take ADSelfService Plus for a spin, you can use this link to download a fully-functional evaluation for unlimited users for 30 days.

You can also register on that same page to get free technical support during your evaluation period. In addition – click on this link to sign up for a personalized web demo from ManageEngine!

After you’ve trialed the software, you can purchase the professional edition and gain a host of new features – read about them here! Thank you for learning more about ADSelfService Plus and how it can safely and efficiently secure your entire environment from intruders and hackers.