Guide | How To How to protect your head-less home server with smart card authentication and a Yubikey

[Amelith Nargothrond]

This is a short guide on how to set-up 2FA for Windows Server 2016, installed on a (headless) home server, also known as smart card authentication, with the Yubikey as the smart card.

Because of the complexity of this environment, you should only follow this guide if you are already familiarized with the concepts of Active Directory and what it is used for.

1. Clean install Server 2016
2. Fully update the OS
3. Run this command in an elevated cmd prompt:
   

   bcdedit /set {bootmgr} displaybootmenu yes

   • this is necessary in case you lock yourself out, as you can F8 at boot and choose "Directory Services Restore Mode" (read more about this here: Directory Services Restore Mode (DSRM))
4. Install Active Directory Domain Services following this guide: Step-By-Step: Setting up Active Directory in Windows Server 2016
5. Follow this guide to prepare your AD environment for smart card auth: https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf
   • The guide contains step by step instructions on how to install Active Directory Certificate Services, set-up smart card login templates, deploying the templates in the CA
   • The guide contains two methods of enrolling a user's Yubikey to the system. I prefer the first (Creating a Smart Card Login Template for User Self-Enrollment) and if you don't have many users (being a home server) I recommend to start with this and experiment on the second one (Creating a Smart Card Login Template for Enrolling on Behalf of Other Users) later
   • Consider using "Changing the Behaviour for Your Domain When You Remove the Smart Card" step of the guide, as this is another very good enforcement of the mechanism. Note that for this to work (and not mentioned in the guide), you have to manually set the startup type of the "Smart Card Removal Policy" service to "Automatic" and restart
6. Log in with your user to the domain controller on the DC or on the joined machine OR connect to the DC with RDP (this is very important, you have to make an initial connection to the domain with the user)
7. Follow this guide to enroll your Yubikey for the user (while being logged on): https://www.yubico.com/wp-content/uploads/2016/04/YubiKey-PIV-Manager_Users_Guide_April04_2016.pdf
8. Enable auto-enrolment and renewal following this guide: Configure Certificate Autoenrollment or Setting Up the Certificate Autoenrollment Feature in a Windows Public Key Infrastructure
9. To connect remotely to the DC with your smart card, you must disable "Allow connections only from computers running Remote Desktop with Network Level Authentication" domain-wide/on the DC. Before you ask "is it safe", read this: Why doesn’t NLA work with cross-domain smart card authentication?
10. Disconnect your Yubikey, restart the DC, test your Yubikey (locally or via RDP)

Much more about smart cards here (the smart card deployment cookbook): Smart Cards

Enjoy

 

[askmark]

Great guide. Thank you. I assume this would be a similar process for 2012 R2?

 

[Amelith Nargothrond]

Great guide. Thank you. I assume this would be a similar process for 2012 R2?

Almost identical, yes. Actually, the Yubikey guides are made for 2012R2, but they work exactly the same on 2016. Minor differences maybe when promoting the DC.
You're welcome

 

[askmark]

Almost identical, yes. Actually, the Yubikey guides are made for 2012R2, but they work exactly the same on 2016. Minor differences maybe when promoting the DC.
You're welcome

Cool. I think I'll try this on an isolated clone of one of my DC's before letting it loose on the production domain. Now all I need to do is convince my boss on the merits of using Yubikeys to secure network access.

 

[Amelith Nargothrond]

Cool. I think I'll try this on an isolated clone of one of my DC's before letting it loose on the production domain. Now all I need to do is convince my boss on the merits of using Yubikeys to secure network access.

Don't forget to test recovery options, simulate as many worst case scenarios as you can, as losing Yubikeys, revoked certificates, unreachable CAs/DCs, untrusted CAs, how to create trust between the DC/CA and non-joined machines (you need this in some cases, especially for executive people's laptops), corrupt CA dbs, backup and restore CA dbs, different time zones (and automatic adjustments), remote access from portable devices like phones or tablets etc. etc...

When dealing with cryptography, Macrium images might not help in all the cases, you have to get ready for anything, know ahead what to do/try, to minimize downtime as much as you can. Also, you can distribute workload if you have hundreds of users, by installing the CA on a different machine, and so forth.
Think about all of these, as smart cards can be occasionally a pain in the *ss if you are not prepared for stuff.

I'm not trying to scare you off, just to prepare you for what may come in the future.

I suggest not to enforce the use of smart cards right from the very beginning, but rather give the users time to accommodate. After a while, you can enforce it.

 

[Amelith Nargothrond]

I can't really emphasize this enough for everybody:

Do not force the use of smart card authentication for interactive logins domain wide right from the very beginning or for the single administrator account you may have until you get used to it and all its tricks. Accommodate yourself with "Directory Services Restore Mode" and what can you do once disaster strikes.