locked
Two-Factor Authentication (2FA) RRS feed

  • Question

  • Good afternoon,

     

    I was wondering if anybody incorporated

    Two-Factor Authentication (2FA) to their home server. There are several vendors that offer 2FA (http://www.cryptocard.com/solutions/ - is one of them).

    Maybe somebody can help me to develop plug in for it.

     

    Thanks

    Marcin

    Monday, May 11, 2009 11:06 PM

All replies

  • I'm not clear why you would want two factor authentication in a home product. Or were you planning to issue RSA tokens to your wife and children (if any)?

    In any case, I would be surprised if it's even possible to retrofit a 2FA solution to Windows Home Server. Too much of the product is designed around the standalone server (i.e. workgroup) security protocols built into Windows.

    I'm not on the WHS team, I just post a lot. :)
    Tuesday, May 12, 2009 4:21 PM
    Moderator
  • Ken,
    Marcin has already found what I'm about to talk about, but I just recently released an add in for windows home server that adds 2fa to the remote access website. I was also seeking in vain a solution for this and eventually just had to make my own. It is based around the inexpensive yubikey hardware token, which my wife doesn't have a problem with carrying in her purse. Especially since it doesn't require copying information from a tiny lcd screen to operate.

    I'm also investigating integrating with a perfect paper passwords situation.

    When you turn on remote access for your home server you are essentially opening a gateway to the world to your home network. And I want access to this to be both based on something I have and something I know, even for a home product. Until we take every aspect of network security seriously, and make it easy to take seriously even for the layman, we will continue to have problems with phishing etc.

    Would you feel comfortable connecting to your home server from an internet cafe full of public terminals with who knows what on them? I can be more comfortable about that now. As my network is no longer a keylogger away from being utterly compromised.

    Anyway, my addin is on codeplex, if you, or anyone else, are interested. http://twofactorwhs.codeplex.com. 

    On another note, I think WHS is actually seeing a lot of use in businesses that are too small to warrant SBS, and these may have a craving for stronger auth.
    Saturday, May 30, 2009 5:22 PM
  • Hm. Not bad. The only potential issue I see with you add-in is that Microsoft has, in the past, replaced the remote access web site as part of a patch or power pack. It's happened a couple of times and, since they don't consider the web site to be user customizable (other than the two xml files that you can use to add links of your own) they don't take modifications like this into account.

    What do you plan to do about other access, if anything?

    Oh, yes... "Only a keylogger away"? If I need to access my home server for any reason while I'm away from home, I use my own hardware to do so. If you're concerned about the security of your server from an internet cafe, just don't access it from public equipment. If you're really concerned, turn off the Remote Access web site.

    As for business use, I see Windows Home Server as having a place in some businesses right now. It's the cheapest centralized backup tool you'll find for workstations, at around $50-$75 per seat. The rest? It can provide central storage that everyone can access, yes. But the remote access web site isn't designed with business use in mind, and the media sharing features are likely to be considered, umm, "inappropriate" in a business environment. So outside of the backup capability I don't see it as a big win for anything other than a home-based microbusiness.
    I'm not on the WHS team, I just post a lot. :)
    Saturday, May 30, 2009 8:26 PM
    Moderator
  • Yes, my way of punching in isn't necessarily resilient to updates to the logon.aspx. I wish that the page itself was more abstracted from the authentication mechanism. But the way I've implemented it, I think, should be most resilient to the page code changing over time. If it becomes too much of a hassle to keep the solution working over updates to the system I may have to code up an alternate login page and update the web.config to use that page for authentication. 

    Anyway, my hope is that MS embraces 2fa with homeserver vNext anyway, and then this addin would be unnecessary. 

    By other access which to you mean exactly? Access to the console? File share access?

    I wish I was in the habit of only having my own hardware with me all the time, but this is simply not the case. And sometimes I'd like to access my files from a place where I don't feel comfortable. Even logging on from a friend's computer makes me nervous, as I don't know how good their virus protection is. The point is that if everything used strong authentication then we wouldn't have to worry about this type of thing, but, hey, I'm one of those people that was never really bothered by excessive elevation prompts in vista, as I recognized how many attack vectors they closed. And to me, having an additional authentication factor on top of my password is a lot less annoying than elevation prompts.

    My remote access website actually WAS turned off, until I had this addin ready. To my way of thinking, my data, although less financially valuable, deserves to be treated with the same amount of care to how a big corporation treats its data, that is, you should have to steal more than just a password to get at it. Is having a One Time Password of some type really so onerous that companies should be resisting adding an option for it to their products? 

    If Blizzard can add multi factor authentication to its video games to prevent theft of virtual property, I think we can start to take defending real property on our home servers more seriously. 

    I think that the value of WHS is more than just a cheap per-seat license. Its also a lot more easy to manage than a full version of server. A typical small business may need some occasional help from IT consultants to run the thing, but a lot of the backup management and remote access management are so foolproof to operate that I think it has much more to recommend it than just low price. I recently set up a home server for my parents, and after they had been battling with endless products to help them back up their photos, with no success, WHS just worked, and they can manage it without my help! That's a killer product that deserves more publicity!
    Sunday, May 31, 2009 5:12 AM