You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

In the initial stage of deploying MFA for computer logon across your entire domain and user base, you might not want to enfore MFA on all user accounts on day one. Instead, you might consider to enforce MFA gradually across your user base, in stages. To do so, you need to create a special user group in AD and a couple of logon policies in DualShield. For the simplicty of this guide, let's call this AD group as DualShield MFA group. 

The strategy is that MFA will only be enforced on users who are a member of the DualShield MFA group. All other domain users will be able to continue to login into the domain with password only.

The first step is to create the DualShield MFA group in your AD server. 

Then, create the following 2 logon policies in your DualShield server:

For the general guide of creating a logon policy, expand the link below

To create or edit a policy, we need to open the policy editor window first.

Select "Administration | Policies" on the side panel,


To create a new policy, click the "CREATE" button on the toolbar to open the policy editor window.


In the policy editor, firstly select Logon from the Category drop-down list

Policy Bindings

Enter or select the following policy bindings:
Holder:

The policyholder defines the scope of the policy. 

Name:A unique name that describes this policy
Applications:

Optionally, you can bind the policy to a specific application or a list of applications. To specify the application(s),  select the field: Apply policy to these applications

If the field Apply policy to these applications is left empty, then the policy will be applied to all applications. 

Policy Options

Logon policy settings can be edited using the following procedure;

  • From the Home page of the Management Console, left click on the menu item "Administration", select "Policies", then in the new tab "POLICIES", select the category "Logon", then click the  button;.

    The Logon policy settings can now be viewed (or edited) by left clicking on the context menu of the Logon policy, then selecting either "View" or "Edit";



When editing the policy, a new window "Policy - Edit" will open that can be used to edit the policy settings;


The category for this policy is "Logon Policy" (this property cannot be edited).

The default holder of this policy is "System" (this property cannot be edited).


The name assigned to identify the Logon policy by the System Administrator.


The System Administrator may use this field to annotate this policy.


This option allows the System Administrator to enable or disable this policy.


In addition to the settings in the heading section, the Logon policy also includes the following expandable sections;

 

> Authentication

> IP Filter

> User Agent Filter

> Device Filter

> Geo Location Filter

> Geo Velocity Detector

> Others

These sections can be expanded out to provide additional settings related to specific features of the logon policy as follows;

Authentication Section

The purpose of the section "Authentication" is to specify when MFA is required, what to do if factors are skipped, and if a CAPTCHA is to be used.

 


This setting determines if user authentication is required when logging in;

  • Multi-factor authentication is not required for all users
    This option means that all users will be exempted from 2FA or MFA. This option is typically used to exempt a group of users from 2FA or MFA.

  • Multi-factor authentication is required for users with tokens only
    This option means that users who have a 2FA/MFA token in their account will be enforced to login with 2FA/MFA, while those users who do not have a token 2FA/MFA token will be exempted from 2FA/MFA in the logon process. .
  • Multi-factor authentication is required for all users

    This option means that all users will be enforced to login with 2FA/MFA

    Please note that users in the context of a policy include users in the scope of the policy only, i.e. the policy holder.


This option allows the administrator to specify if authentication can be skipped on subsequent logon attempts (for the specified length of time).

If this value is set to zero, then the feature is disabled, and authentication skipping does not take place.



If authentication skipping is enabled, this setting will determine if the password is kept (and the second factor skipped), or if all factors are skipped;

  • Skip the second factor and keep the password
    The second factor is skipped, but the password is kept.

  • Skip Al factors including the password
    All factors are skipped.


If this checkbox is ticked, then name guessing will be prevented (the user will not be informed if the username he supplies is known).


if this checkbox is enabled then a CAPTCHA will be presented during logon (to ensure a human is supplying the authentication factors).

IP Filter Section

The purpose of the section "IP Filter" is to specify when to allow or deny logon based on the users' IP address.

 


This setting determines if user authentication is required when logon attempts are made from the specified IP address;

  • required
    If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

  • not required
     f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..


This option is used to store the IP Address range that will be subject to the previous option.

Single IP address or IP ranges, e.g. 192.168.0.1; 192.168.0.10-192.168.0.20

  • IP with proxy: 1.2.3.4[192.168.0.254],
  • IP range with proxy: (1.2.3.0-1.2.3.255)[192.168.0.254],

Note: 192.168.0.254 is the proxy server

User Agent Filter Section

The purpose of the section "User Agent Filter" is to specify when to allow or deny logon based on the agent used by the user agent.

 


This setting determines if user authentication is required when logon attempts are made the matching agent;

  • required
    If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

  • not required
     f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..


This setting allows you to list the agents that this policy will apply to;;

The user agent are listed ass a text string (regular expressions are supported).

e.g. (MacOutlook|Apple-iPhone6C) will match both "MacOutlook" and "Apple-iPhone6C"

Device Filter Section

The purpose of the section "User Agent Filter" is to specify when to allow or deny logon based on the agent used by the user agent.

 




























Geo Location Filter Section

The purpose of the section "Geo Location Filter" is to specify when to allow or deny logon based on the geographic location of the user.

 


This setting determines if user authentication is required when logon attempts are made from the specified IP address;

  • required
    If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

  • not required
     f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..


After clicking on the icon the following window will open;

Location details are then supplied that identify the which geographic locations the policy will apply to during logon. (based up IP addresses).

Geo Velocity Detector Section

The purpose of the section "Geo Location Filter" is to specify when to allow or deny logon based on the geographic location of the user.

 


This setting determines if user authentication is required when logon attempts are made from the specified IP address;

  • required
    If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

  • not required
     f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..


After clicking on the icon the following window will open;

Location details are then supplied that identify the which geographic locations the policy will apply to during logon. (based up IP addresses).

Others Section

The purpose of the section "Others" is to provide logon policy settings that don't fit into the other main sections.

 


This options determines if passwords can be cached in the browser.


When set to a non-zero value this policy setting will allow One-Time Passwords to be reused within the specified number of minutes.







Domain Logon Policy

OptionValue
Category:Logon
Holder:Domain
Domain:Select your AD domain
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is not required for all users"


Group Logon Policy

OptionValue
Category:Logon
Holder:Group
Domain:Select your AD domain
GroupSelect the DualShield MFA group
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is not required for all users"



  • No labels