MS MFA options for physical login to Windows Server?
Posted by Jazzlike_Tea3402@reddit | sysadmin | View on Reddit | 14 comments
So our frontline workers login to a physical Windows Server. From the server they can open up a web browser and login to X app. We're talking about what options we have to enforce MFA for these users, I've basically narrowed it down to 3rd party Windows TOTP apps, and physical FIDO2 keys/Yubikeys.
There's the new QR code feature in preview which would be good, but this is only supported on mobile.
The one method I'm not sure about is biometrics? I know you can RDP from a client device using WHfB to a server, but is WHfb supported as an option to physically login to a server?
Plan a Windows Hello for Business Deployment | Microsoft Learn
This document lists Windows Server as "supported" but I believe it's just referring to the authenticating domain controller OS.
My question is if there is a way we can get fingerprint readers to work as an MFA method on these servers. But actual login to the OS is irrelevant, the objective is MFA for the web browser logins.
DeathTropper69@reddit
Duo.
Adimentus@reddit
I second this. DUO is great for domain and server logins.
malikto44@reddit
That's what I did as well. Duo + some sane firewalling was what I used on the tier 0 and 1 servers. Just make sure you can use Duo offline, just in case you lose network access.
ChimairaSpawn@reddit
If you lose network you can reboot into safe mode and uninstall it. Just in case you run into this in the future.
Ihaveasmallwang@reddit
They asked for MS options, not 3rd party.
Frothyleet@reddit
Even if they did, sometimes the best advice is "use this other product, it's the best solution even if it's not the one you have suggested."
But also, they didn't ask for MS options:
Ihaveasmallwang@reddit
The title of the post is "MS MFA options..."
Frothyleet@reddit
Well, yeah, but sometimes you gotta read the post too
Ihaveasmallwang@reddit
I’ve read the post, where the title and the body are both talking about Microsoft’s way of doing MFA.
After reading it yet again, the other commenter suggesting yubi keys is still an answer rather than investing huge sums of money into a third party solution for a single use case. That way they can still have a Microsoft natively supported solution if they wanted to stay with the method of physically logging into servers.
You see, context matters, and from the context of the post, it’s clear they are already invested in using Microsoft for MFA in their org.
If you wanted to give an actual better solution, you’d be offering up ways that they could use something like an RDS server that would support WHfB through smart card authentication instead of trying to direct them to Duo.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=intune
/u/Jazzlike_Tea3402 that link is for you in case that is a route your company would like to explore. Personally, I’d choose that over having users physically log into a server.
Frothyleet@reddit
Throwing duo in there is like $3/user for the specific group of users doing this silly workflow, I think that's an easier path than standing up an RDS server, getting the associated licensing, and setting up smart card authentication.
But there are valid arguments for many solutions!
lart2150@reddit
Piv/smart card (like yubikey 5 series).
Cormacolinde@reddit
That’s my solution for Domain Admin/Server Admin accounts you don’t want to Cloud Sync.
You can also use Virtual Smart Cards, they are TPM-bound.
Salty_Move_4387@reddit
Check out AuthLite. We use it to force MFA for our admin accounts to do anything on prem.
disposeable1200@reddit
SSO your apps to Entra Then make the users use password less on the phones
But no, you can't use fingerprint readers not via remote session