PhoneFactor is free for up to 25 users and reasonably priced after that. The beauty of PhoneFactor is that it utilizes something users already have – a mobile phone – as a token rather than a proprietary device.

PhoneFactor Agent, the software behind the service, acts as a RADIUS server for authentication to network resources such as a VPN. When a user attempts authentication, he will still first be prompted for a user name and password. After he enters those details, the service will place a call to his phone and require the user to answer the call and press the “#” button. Once this is completed, the user is successfully authenticated.

In this tutorial we will install the Agent on Windows Server 2008 R2, integrate with Active Directory, link a few user accounts, and set up a RADIUS server.

Getting started

You can download the PhoneFactor Agent after registering here. You will need a mobile phone to register since PhoneFactor utilizes their own system on their customer portal. Run the installer and launch the PhoneFactor Agent. You will be greeted by the Authentication Configuration Wizard, where you can:

• Enable replication between agents: Allows you to replicate data between multiple installations. Since we are only installing it on one server, do not check.
• Select Applications: You can apply PhoneFactor to a variety of applications, including Citrix, Outlook Web Access, and Remote Desktop. For our purposes, we will only choose VPN.
• VPN with Radius: Specify your VPN server IP address as well as a strong shared secret between the VPN server and PhoneFactor. Leave the default port options as-is.
• VPN Target: Since we want to authenticate against a Windows domain, we will choose Windows domain. However you can also use another RADIUS server (some firewalls have built-in RADIUS servers, so you can redirect back to the firewall).

Phonefactor Agent Configuration

Click Finish and let PhoneFactor do its magic. Once the setup is complete, you can begin using the Agent.

Locking down PhoneFactor

By default, PhoneFactor will allow any user who successfully authenticates against AD to sign in – if no user is defined (and no phone number is linked), it will just authenticate the user. In most cases, you would not want this to happen. Navigate to Company Setup and choose “Fail Authentication” when user is disabled.

Fail authentication

We will also want to specify a default search domain for AD users. Choose the “Username Resolution” tab and specify a default search domain for the option “Use Windows security identifiers (SIDs) for matching usernames.”

Security identifiers (SIDs)

Finally, if your Active Directory user account setup is non-standard, you should navigate to Directory Integration and confirm in the “Filters” and “Attributes” tabs that the data fields you wish to use are the ones that PhoneFactor will use. Most administrators will not need to do this.

Directory Integration

Adding users

Now we can begin adding users to our PhoneFactor implementation. Because of our previous setup, only users who have been added to PhoneFactor with a phone number defined will be able to authenticate successfully against AD. After all, not all users will require remote access. Navigate to the Users section and click “Import from Active Directory.”

This powerful interface allows you to select users by OU or filter terms. You can import all users at once – which is not advisable – or specify which ones to import in a granular fashion. The users you have selected will appear in the window on the right. You will notice that by default, “Only New Users with Phone Numbers” are enabled. This is the behavior you want, since users without a phone number will authenticate using only their AD credentials. Once you are ready, click “Import.”

Import users

In many cases, you will not have defined phone numbers yet for your users in Active Directory. This is OK; you will just need to do so now for each authorized user. Double-click the user, then define a phone number and enable the user.

Phone number – Enable user

Finally, you will see your newly-enabled user in the users listing. Once you have defined all of your users, you will need to configure your VPN server to authenticate using RADIUS.

User listing

VPN Server Configuration with PhoneFactor RADIUS

Since there are so many VPN servers out there, we will focus on a few general tips for setting this up. You will typically need to provide:

• PhoneFactor Agent IP
• PhoneFactor Agent Ports: Typically, 1645,1812 for authentication and 1646,1813 for accounting. Make sure the firewall on your Agent server does not block this traffic
• Shared Secret: This is the secret you had defined in the wizard and it should be strong since it will serve as a barrier between your VPN server and the RADIUS server.
• Timeout: Make sure you set a fairly high timeout value; by default, most VPN servers do not give you a lot of time to authenticate because the RADIUS server is local to the network and does not take long to perform the lookup. However, since PhoneFactor takes about 3-5 seconds to place the call, and the user can take anywhere from 2-20 seconds to actually respond, I would recommend a timeout of at least 30 seconds.

That’s it! Though PhoneFactor offers more powerful features (especially in paid versions), you are already set up and ready to authenticate. For small businesses with fewer than 25 users, PhoneFactor is a free and easy to implement two-factor authentication solution. Give it a try today!

PhoneFactor

• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)
• Raffle: SetACL Studio – Set Windows permissions (1)

iptables is a tool for packet filtering and NAT. You can use it to setup a firewall with shell scripts. A shell script with just a few lines is enough to block an IP address attempting to establish too many connection within a certain time frame.

PAM (Pluggable Authentication Modules) is an API used by many Unix systems for authentication. Marius described how to use PAM to block the IP address of an attacker after three failed logon attempts on a ssh server.

fail2ban can be used to update firewall rules based on log files scans. Marius demonstrated how to secure an ssh server with fail2ban using iptables.

The last two options are certainly more sophisticated than the mere iptables solution. Unfortunately, it takes more time to configure them as you might have to install the tools first.

My favorite solution is fail2ban since you can use it with almost any application, plus there are packages for most Linux distributions. PAM is more difficult to setup as you probably will have to install it from sources.

Marius described the installation and configuration of all three options in detail:

Using iptables to Block Brute Force Attacks Using PAM to Block Brute Force Attacks Using fail2ban to Block Brute Force Attacks

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to configure TMG for SSL Client Certificate Authentication (0)
• Using TMG, one-time passwords and Kerberos Constrained Delegation (2)
• How to use Kerberos Constrained Delegation with Forefront TMG (0)
• Secure your Exchange 2010 Server with Forefront TMG – Part 2 (0)