> Winlogon & RDP 2FA

Winlogon & RDP 2FA

 
The Protectimus Windows logon & RDP 2FA solution adds two-factor authentication (2FA / MFA) to protect access to computers running:
  • Windows 7;
  • Windows 8;
  • Windows 8.1;
  • Windows 10;
  • Windows 11;
  • Windows Server 2012;
  • Windows Server 2016;
  • Windows Server 2019;
  • Windows Server 2022.
It protects access to the Windows PCs with 2FA both locally (Windows logon) and via RDP (Remote Desctop Protocol).

The Windows 2FA solution will work even when the computer is offline due to a backup feature. When installing the 2FA component on a Windows computer, the administrator can generate and save a backup code. Then it’s possible to use it instead of a one-time password to log into the user accounts on this computer in offline mode.

You can learn more about the Protectimus two-factor authetication (2FA) solution for Windows and RDP here.

See below for detailed instructions on setting up Windows two-factor authentication with Protectimus.

1. Get Registered and Configure Basic Settings

Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.

2. Add Resource

Resources are used to logically group users and tokens and manage them easily.

Detailed instructions on adding resources are availabe here.

3. Configure Access Policies

  1. Go to the Resources page.
Protectimus Winlogon setup - go to the Resources page  
  1. Click on the name of your resource.
Protectimus Winlogon setup - click the Resource name  
  1. Open the Winlogon tab.
Protectimus Winlogon setup - Winlogon tab  
  1. You will see the list of access policies. Configure the solution according to your requirements.

    We strongly recommend you enable Automatic Registration of Users and Tokens.

    When this feature is activated, the first time your user logs into their account, they will need to enter their usual Windows login, password, and after that, they will have to enroll a token. To enable Automatic Registration of Users and Tokens, tick the next points:
    • Access for unregistered users;
    • User auto-registration;
    • Token auto-registration;
    • And choose the type of tokens your users can enroll (Protectimus Mail, Protectimus SMS, or Protectimus SMART OTP).
Protectimus Winlogon setup - Winlogon tab settings  
PLEASE NOTE! You may choose different settings for logging into your Windows account directly or via RDP.
  1. Access accepted (activated by default)
    Opens access to the computer. If this parameter is deactivated, access to the computer locally and/or over RDP will be completely disabled.
  2. Apply 2FA (activated by default)
    Activate this parameter to enable two-factor authentication when logging into your Windows account locally and/or over RDP. If this option is deactivated, a one-time password will not be requested.
  3. Access for unregistered users
    • This parameter allows you to enable two-factor authentication only for selected users. For example, one computer is used by 3 people – John, Adam, and Michael – but you want a one-time password to be requested only when logging in to Adam’s account. To do this, create only one user (Adam) in the Protectimus service and activate the “Access for unregistered users” parameter so that the other users (John and Michael) log in without two-factor authentication.
    • If this parameter is deactivated, the auto-registration of users and tokens is impossible.
    • If this parameter is deactivated, only users registered in the Protectimus service and assigned to your resource will be able to login to their accounts.
  4. Single Factor Access
    If this parameter is enabled, users without tokens assigned to the current resource can log in to their Windows accounts without one-time passwords.
  5. User auto-registration
    If this parameter is enabled, the first time the users log into their accounts, they will be automatically registered in the Protectimus service and will be assigned to the current resource.
  6. Token auto-registration
    If this parameter is enabled, the first time the users log into their accounts, they will need to enroll a token. The type of token that will be available to the users should be selected in the “Token Type” field.
  7. Token Type
    In this field, you must select the type of token that will be available to the users during token auto-registration.
  8. Access by IP addresses
    If you enable this option and add the list of allowed IP addresses below, then when logging in from trusted IP addresses, users will not be prompted for the one-time passwords.
  9. Allowed IP addresses
    If you have activated access by IP addresses, add a list of trusted IP addresses when entering from which a one-time password will not be requested.
 
PLEASE NOTE!

To use hardware OTP tokens or enable OTP delivery via chatbots in messaging apps:
  1. Add Users manually.

    ATTENTION! The user login in the Protectimus service must match the Windows username. Before creating a user, make sure that your Windows username contains only Latin characters, numbers and the following symbols: _-∽!#.$.. Spaces and any other symbols are not allowed.

    When you add 2-factor authentication to your local user account in Windows, your user’s login in Protectimus service must be identical to your username in Windows. For example, if your Windows username is John-Doe, then in the Protectimus service, you need to add a user with the John-Doe login.

    When you add users from Active Directory your users’ logins in Protectimus service must have the form [email protected], where login is the username in Active Directory, and domain is your corporate domain. For example, if the username in Active Directory is John-Doe and the corporate domain is google.com, then in the Protectimus service, you need to add a user with the [email protected] login.

  2. Add Tokens manually.
  3. Assign Tokens to Users.
  4. Assign Tokens with Users to a Resource.

4. Install Protectimus Winlogon

  1. Download the Protectimus Winlogon installer here.
  2. Run the installer as administrator.
Protectimus OWA two-factor authentication component installation - run the intaller as administrator  
  1.  You will see a welcome screen, click Next to continue.
Protectimus Winlogon setup - step 1  
  1. Read the license agreement, tick I accept the license and click Next to continue.
Protectimus Winlogon setup - step 2 (License Agreement)  
  1. Enter API URL, Login, and API Key and click LogIn.

    These parameters stand for:
    • API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com/. In the case of the on-premise Platform, API URL is a server address, where the Platform is running (for example, http://localhost:8443).
    • Login – the login of your account, the same as for signing in.
    • API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.
Protectimus Winlogon setup - step 3 (Login)  
  1. Resource ID. Choose the Resource you’ve created before the installation. After that click Next to continue.
If you haven’t added the resource yet, add it now. Click Add Resource and enter any Resource Name you wish.
Protectimus Winlogon setup - step 4 (Resource ID)  
  1. Configure group settings, if necessary. You can enable 2FA for the Built-in Administrator or for a group of users. By default, two-factor authentication will be applied to all accounts on this computer except the Built-in Administrator.
Protectimus Winlogon setup - step 5 (2FA Policy)  
  1. Save the backup code in a safe place. Your users need this code to log into Windows accounts if there is no internet connection. The same backup code will work for all accounts on this computer.
ATTENTION! When the user logs in to the system with this backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
Protectimus Winlogon setup - step 6 (Backup Code)  
  1. Everything is ready for the installation. Click Install.
PLEASE NOTE! On this stage you may create an MSI file for deploying Protectimus Winlogon through a GPO.
Protectimus Winlogon setup - step 7 (Ready to Install)  
  1. After the installation is completed, click OK. The next time you start the computer, the two-factor authentication will be on.
Protectimus Winlogon setup - step 8 (The istallation was successful)

5. How to Enable Access Over RDP

PLEASE NOTE! Until you do the following, access to the computer via RDP will be denied.
  1. Go to the Resources page, click on the name of your Resource and move to the Winlogon tab.
  2. Activate the parameter Access accepted for RDP. Activating this parameter allows access to the computer via RDP without two-factor authentication.
Protectimus Winlogon setup - access over RDP  
  1. To enable two-factor authentication when requesting access via RDP, additionally, activate the Apply 2FA parameter for RDP.
Protectimus Winlogon setup - access over RDP with 2FA

6. Backup codes for offline access

For the Protectimus two-factor authentication system to work normally, the computer must be connected to the Internet.

For emergencies, when the user is unable to connect to the Internet, it is possible to log into the account using a backup code instead of a one-time password.

The first backup code is issued when installing the component. Please, note that this code is valid for all accounts registered on this computer. It can be used one time, then a new code will be generated and shown to the user. A new backup code will also be valid for all user accounts registered on this computer.

ATTENTION! When the user logs in to the system with the backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
Protectimus Winlogon setup - step 6 (Backup Code)

How to Reissue a Backup Code

If the users lose the backup code for some reason, they can release a new backup code when they are online. This requires a special utility software, which your chief Protectimus account administrator should request at [email protected].

To use the utility software:
  • Sign in to your Windows account.
  • Download and run the utility software.
  • Press CTRL + ALT + DEL
  • Save your new backup code.

7. Logs and Errors

In case of some errors, you have several points to check what’s going on. First of all, you can check System’s logs on Windows (Event Viewer -> Windows Logs -> Application).

The Protectimus On-Premise Platform logs could be found in the PLATFORM_DIR and TOMCAT_HOME/logs directories.

Also, visit the Events page in the Protectimus Platform and you will see related information.

8. Uninstalling

If there is no access to your Windows user account, you can disable the Protectimus Winlogon app in Safe Mode.
  1. Go to the Windows Uninstall or Change a Program menu, find the program Protectimus Winlogon and click Uninstall.
  2. Confirm that you really want to remove the program.
  3. You will see a dialog box that notifies you of the successful uninstallation of the program. Click OK to complete the process.
Last updated on 2022-09-15