> Winlogon & RDP
Winlogon & RDP
The Protectimus Winlogon & RDP solution adds two-factor authentication to protect access to computers running Windows 7, 8, 8.1, 10, 11, and Windows Server 2012, 2016, 2019, 2022. It protects access to the Windows PCs both locally and via RDP.
The solution will work even when the computer is offline due to a backup feature. When installing the component on a Windows computer, the administrator can generate and save a backup code. Then it’s possible to use it instead of a one-time password to log into the user accounts on this computer in offline mode.
You can learn more about the Protectimus two-factor authetication solution for Windows and RDP here.
See below for detailed instructions on setting up Windows two-factor authentication with Protectimus.
1. Get Registered and Configure Basic SettingsRegister with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
2. Add ResourceResources are used to logically group users and tokens and manage them easily.
Detailed instructions on adding resources are availabe here.
3. Configure Access Policies
- Go to the Resources page.
- Click on the name of your resource.
- Open the Winlogon tab.
- You will see the list of access policies. Configure the solution according to your requirements.
We strongly recommend you enable Automatic Registration of Users and Tokens.
When this feature is activated, the first time your user logs into their account, they will need to enter their usual Windows login, password, and after that, they will have to enroll a token. To enable Automatic Registration of Users and Tokens, tick the next points:
- Access for unregistered users;
- User auto-registration;
- Token auto-registration;
- And choose the type of tokens your users can enroll (Protectimus Mail, Protectimus SMS, or Protectimus SMART OTP).
PLEASE NOTE! You may choose different settings for logging into your Windows account directly or via RDP.
- Access accepted (activated by default)
Opens access to the computer. If this parameter is deactivated, access to the computer locally and/or over RDP will be completely disabled.
- Apply 2FA (activated by default)
Activate this parameter to enable two-factor authentication when logging into your Windows account locally and/or over RDP. If this option is deactivated, a one-time password will not be requested.
- Access for unregistered users
- This parameter allows you to enable two-factor authentication only for selected users. For example, one computer is used by 3 people – John, Adam, and Michael – but you want a one-time password to be requested only when logging in to Adam’s account. To do this, create only one user (Adam) in the Protectimus service and activate the “Access for unregistered users” parameter so that the other users (John and Michael) log in without two-factor authentication.
- If this parameter is deactivated, the auto-registration of users and tokens is impossible.
- If this parameter is deactivated, only users registered in the Protectimus service and assigned to your resource will be able to login to their accounts.
- Single Factor Access
If this parameter is enabled, users without tokens assigned to the current resource can log in to their Windows accounts without one-time passwords.
- User auto-registration
If this parameter is enabled, the first time the users log into their accounts, they will be automatically registered in the Protectimus service and will be assigned to the current resource.
- Token auto-registration
If this parameter is enabled, the first time the users log into their accounts, they will need to enroll a token. The type of token that will be available to the users should be selected in the “Token Type” field.
- Token Type
In this field, you must select the type of token that will be available to the users during token auto-registration.
- Access by IP addresses
If you enable this option and add the list of allowed IP addresses below, then when logging in from trusted IP addresses, users will not be prompted for the one-time passwords.
- Allowed IP addresses
If you have activated access by IP addresses, add a list of trusted IP addresses when entering from which a one-time password will not be requested.
To use hardware OTP tokens or enable OTP delivery via chatbots in messaging apps:
- Add Users manually.
ATTENTION! The user login in the Protectimus service must match the Windows username. Before creating a user, make sure that your Windows username contains only Latin characters, numbers and the following symbols: _-∽!#.$.. Spaces and any other symbols are not allowed.
When you add 2-factor authentication to your local user account in Windows, your user’s login in Protectimus service must be identical to your username in Windows. For example, if your Windows username is John-Doe, then in the Protectimus service, you need to add a user with the John-Doe login.
When you add users from Active Directory your users’ logins in Protectimus service must have the form [email protected], where login is the username in Active Directory, and domain is your corporate domain. For example, if the username in Active Directory is John-Doe and the corporate domain is google.com, then in the Protectimus service, you need to add a user with the [email protected] login.
- Add Tokens manually.
- Assign Tokens to Users.
- Assign Tokens with Users to a Resource.
4. Install Protectimus Winlogon
- Download the Protectimus Winlogon installer here.
- Run the installer as administrator.
- You will see a welcome screen, click Next to continue.
- Read the license agreement, tick I accept the license and click Next to continue.
- Enter API URL, Login, and API Key and click LogIn.
These parameters stand for:
- API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com/. In the case of the on-premise Platform, API URL is a server address, where the Platform is running (for example, http://localhost:8443).
- Login – the login of your account, the same as for signing in.
- API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.
- Resource ID. Choose the Resource you’ve created before the installation. After that click Next to continue.
If you haven’t added the resource yet, add it now. Click Add Resource and enter any Resource Name you wish.
- Configure group settings, if necessary. You can enable 2FA for the Built-in Administrator or for a group of users. By default, two-factor authentication will be applied to all accounts on this computer except the Built-in Administrator.
- Save the backup code in a safe place. Your users need this code to log into Windows accounts if there is no internet connection. The same backup code will work for all accounts on this computer.
ATTENTION! When the user logs in to the system with this backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
- Everything is ready for the installation. Click Install.
PLEASE NOTE! On this stage you may create an MSI file for deploying Protectimus Winlogon through a GPO.
- After the installation is completed, click OK. The next time you start the computer, the two-factor authentication will be on.
5. How to Enable Access Over RDP
PLEASE NOTE! Until you do the following, access to the computer via RDP will be denied.
- Go to the Resources page, click on the name of your Resource and move to the Winlogon tab.
- Activate the parameter Access accepted for RDP. Activating this parameter allows access to the computer via RDP without two-factor authentication.
- To enable two-factor authentication when requesting access via RDP, additionally, activate the Apply 2FA parameter for RDP.
6. Backup codes for offline accessFor the Protectimus two-factor authentication system to work normally, the computer must be connected to the Internet.
For emergencies, when the user is unable to connect to the Internet, it is possible to log into the account using a backup code instead of a one-time password.
The first backup code is issued when installing the component. Please, note that this code is valid for all accounts registered on this computer. It can be used one time, then a new code will be generated and shown to the user. A new backup code will also be valid for all user accounts registered on this computer.
ATTENTION! When the user logs in to the system with the backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
How to Reissue a Backup CodeIf the users lose the backup code for some reason, they can release a new backup code when they are online. This requires a special utility software, which your chief Protectimus account administrator should request at [email protected].
To use the utility software:
- Sign in to your Windows account.
- Download and run the utility software.
- Press CTRL + ALT + DEL
- Save your new backup code.
7. Logs and ErrorsIn case of some errors, you have several points to check what’s going on. First of all, you can check System’s logs on Windows (Event Viewer -> Windows Logs -> Application).
The Protectimus On-Premise Platform logs could be found in the PLATFORM_DIR and TOMCAT_HOME/logs directories.
Also, visit the Events page in the Protectimus Platform and you will see related information.
If there is no access to your Windows user account, you can disable the Protectimus Winlogon app in Safe Mode.
- Go to the Windows Uninstall or Change a Program menu, find the program Protectimus Winlogon and click Uninstall.
- Confirm that you really want to remove the program.
- You will see a dialog box that notifies you of the successful uninstallation of the program. Click OK to complete the process.
Last updated on 2022-04-19