Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
How to protect your head-less home server with smart card authentication and a Yubikey
Message
<blockquote data-quote="Amelith Nargothrond" data-source="post: 624755" data-attributes="member: 60405"><p>This is a short guide on how to set-up 2FA for Windows Server 2016, installed on a (headless) home server, also known as smart card authentication, with the Yubikey as the smart card.</p><p></p><p>Because of the complexity of this environment, you should only follow this guide if you are already familiarized with the concepts of Active Directory and what it is used for.</p><p></p><ol> <li data-xf-list-type="ol">Clean install Server 2016</li> <li data-xf-list-type="ol"><strong>Fully update</strong> the OS</li> <li data-xf-list-type="ol">Run this command in an elevated cmd prompt: <br /> [CODE]bcdedit /set {bootmgr} displaybootmenu yes[/CODE]<ul> <li data-xf-list-type="ul">this is necessary in case you lock yourself out, as you can F8 at boot and choose "<strong>Directory Services Restore Mode</strong>" (read more about this here: <a href="https://u-tools.com/help/dsrm.asp" target="_blank">Directory Services Restore Mode (DSRM)</a>)</li> </ul></li> <li data-xf-list-type="ol">Install Active Directory Domain Services following this guide: <a href="https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/" target="_blank">Step-By-Step: Setting up Active Directory in Windows Server 2016</a></li> <li data-xf-list-type="ol">Follow this guide to prepare your AD environment for smart card auth: <a href="https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf" target="_blank">https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf</a><ul> <li data-xf-list-type="ul">The guide contains step by step instructions on how to install Active Directory Certificate Services, set-up smart card login templates, deploying the templates in the CA</li> <li data-xf-list-type="ul">The guide contains two methods of enrolling a user's Yubikey to the system. I prefer the first (Creating a Smart Card Login Template for User Self-Enrollment) and if you don't have many users (being a home server) I recommend to start with this and experiment on the second one (Creating a Smart Card Login Template for Enrolling on Behalf of Other Users) later</li> <li data-xf-list-type="ul">Consider using "Changing the Behaviour for Your Domain When You Remove the Smart Card" step of the guide, as this is another very good enforcement of the mechanism. Note that for this to work (and not mentioned in the guide), you have to manually set the startup type of the "Smart Card Removal Policy" service to "Automatic" and restart</li> </ul></li> <li data-xf-list-type="ol">Log in with your user to the domain controller on the DC or on the joined machine <em>OR </em>connect to the DC with RDP (this is very important, you have to make an initial connection to the domain with the user)</li> <li data-xf-list-type="ol">Follow this guide to enroll your Yubikey for the user (while being logged on): <a href="https://www.yubico.com/wp-content/uploads/2016/04/YubiKey-PIV-Manager_Users_Guide_April04_2016.pdf" target="_blank">https://www.yubico.com/wp-content/uploads/2016/04/YubiKey-PIV-Manager_Users_Guide_April04_2016.pdf</a></li> <li data-xf-list-type="ol">Enable auto-enrolment and renewal following this guide: <a href="https://technet.microsoft.com/en-us/library/cc731522(v=ws.11).aspx" target="_blank">Configure Certificate Autoenrollment</a> or <a href="http://windowsitpro.com/security/setting-certificate-autoenrollment-feature-windows-public-key-infrastructure" target="_blank">Setting Up the Certificate Autoenrollment Feature in a Windows Public Key Infrastructure</a></li> <li data-xf-list-type="ol">To connect remotely to the DC with your smart card, <u>you must</u> <strong>disable </strong>"Allow connections only from computers running Remote Desktop with Network Level Authentication" <strong>domain-wide/on the DC</strong>. Before you ask "is it safe", read this: <a href="https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2016/05/02/why-doesnt-nla-work-with-cross-domain-smart-card-authentication/" target="_blank">Why doesn’t NLA work with cross-domain smart card authentication?</a></li> <li data-xf-list-type="ol">Disconnect your Yubikey, restart the DC, test your Yubikey (locally or via RDP)</li> </ol><p>Much more about smart cards here (the smart card deployment cookbook): <a href="https://technet.microsoft.com/en-us/library/dd277362.aspx" target="_blank">Smart Cards</a></p><p></p><p>Enjoy <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="Amelith Nargothrond, post: 624755, member: 60405"] This is a short guide on how to set-up 2FA for Windows Server 2016, installed on a (headless) home server, also known as smart card authentication, with the Yubikey as the smart card. Because of the complexity of this environment, you should only follow this guide if you are already familiarized with the concepts of Active Directory and what it is used for. [LIST=1] [*]Clean install Server 2016 [*][B]Fully update[/B] the OS [*]Run this command in an elevated cmd prompt: [CODE]bcdedit /set {bootmgr} displaybootmenu yes[/CODE] [LIST] [*]this is necessary in case you lock yourself out, as you can F8 at boot and choose "[B]Directory Services Restore Mode[/B]" (read more about this here: [URL='https://u-tools.com/help/dsrm.asp']Directory Services Restore Mode (DSRM)[/URL]) [/LIST] [*]Install Active Directory Domain Services following this guide: [URL='https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/']Step-By-Step: Setting up Active Directory in Windows Server 2016[/URL] [*]Follow this guide to prepare your AD environment for smart card auth: [URL]https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf[/URL] [LIST] [*]The guide contains step by step instructions on how to install Active Directory Certificate Services, set-up smart card login templates, deploying the templates in the CA [*]The guide contains two methods of enrolling a user's Yubikey to the system. I prefer the first (Creating a Smart Card Login Template for User Self-Enrollment) and if you don't have many users (being a home server) I recommend to start with this and experiment on the second one (Creating a Smart Card Login Template for Enrolling on Behalf of Other Users) later [*]Consider using "Changing the Behaviour for Your Domain When You Remove the Smart Card" step of the guide, as this is another very good enforcement of the mechanism. Note that for this to work (and not mentioned in the guide), you have to manually set the startup type of the "Smart Card Removal Policy" service to "Automatic" and restart [/LIST] [*]Log in with your user to the domain controller on the DC or on the joined machine [I]OR [/I]connect to the DC with RDP (this is very important, you have to make an initial connection to the domain with the user) [*]Follow this guide to enroll your Yubikey for the user (while being logged on): [URL]https://www.yubico.com/wp-content/uploads/2016/04/YubiKey-PIV-Manager_Users_Guide_April04_2016.pdf[/URL] [*]Enable auto-enrolment and renewal following this guide: [URL='https://technet.microsoft.com/en-us/library/cc731522(v=ws.11).aspx']Configure Certificate Autoenrollment[/URL] or [URL='http://windowsitpro.com/security/setting-certificate-autoenrollment-feature-windows-public-key-infrastructure']Setting Up the Certificate Autoenrollment Feature in a Windows Public Key Infrastructure[/URL] [*]To connect remotely to the DC with your smart card, [U]you must[/U] [B]disable [/B]"Allow connections only from computers running Remote Desktop with Network Level Authentication" [B]domain-wide/on the DC[/B]. Before you ask "is it safe", read this: [URL='https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2016/05/02/why-doesnt-nla-work-with-cross-domain-smart-card-authentication/']Why doesn’t NLA work with cross-domain smart card authentication?[/URL] [*]Disconnect your Yubikey, restart the DC, test your Yubikey (locally or via RDP) [/LIST] Much more about smart cards here (the smart card deployment cookbook): [URL='https://technet.microsoft.com/en-us/library/dd277362.aspx']Smart Cards[/URL] Enjoy :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top