As I’ve mentioned in many previous articles, my work in our content development business frequently requires that I remotely access secure corporate networks of various partners and vendors as I write whitepapers for them or develop documentation, courseware, or other technical collateral they need. The most common method I’ve used for doing such remote work is to use virtual private networking (VPN) solutions business partners operate or recommend, and the Windows solution in this area called Always On VPN is becoming a favorite for many of these companies since support for the client-side of these technologies is included in the Windows 10 operating system. Well-known enterprise infrastructure and security expert Richard Hicks has previously walked us through how to deploy and configure Always On VPN in Windows 10 here at TechGenix.
But deploying a VPN solution by itself isn’t the be-all and end-all of making sure your remote employees or contractors can securely access your corporate network. Fortunately, multifactor authentication or MFA can help strengthen the security of your VPN solution by making it more difficult for malicious actors to impersonate legitimate users. For companies that use the Microsoft Azure cloud platform, there is Azure MFA, which Anderson Patricio, one of our TechGenix team of authors, has previously walked us through using to set up MFA for accessing the Azure portal. Another of our TechGenix authors, Lavanya Rathnam, has also written this step-by-step guide for us about using MFA for Office 365, which is a subset of Azure MFA, but it comes at no additional cost and you can manage it right from Office 365 portal.
To ensure that remote work can be performed securely when accessing corporate resources over a VPN, I asked Richard to build upon his previous walkthrough by showing us step-by-step how Azure MFA can be integrated with Always On VPN in Windows 10. Richard is the founder and principal consultant of Richard M. Hicks Consulting and focuses on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional in the Cloud & Datacenter and Enterprise Security award categories and can be found on Twitter at @richardhicks.
Richard started by saying that there is a “crucial security risk” associated with remote access technologies because of the potential of lost or stolen credentials. “If an attacker can obtain valid credentials with authorization to connect remotely, they can easily gain network access to steal data or further comprise the network. Additional controls must be put in place to address this risk,” he said. I asked him to expand on this and describe the issues involved in integrating Azure MFA with Windows 10 Always On VPN and he replied with a short bullet level list as follows:
Richard said next that NPS integration was the key step in getting Azure MFA set up with Windows 10 Always On VPN. “Azure MFA integrates easily with Always On VPN deployments, by installing an extension on existing NPS servers,” he said. He then described the following to install and configure the NPS extension for Azure MFA. First, you must download and install the NPS Extension like this:
Once the installation is complete, click Close:
Next, you must configure NPS Extension Certificates. The NPS Extension for Azure MFA uses certificates to secure communication between the NPS server and Azure. Before you begin, copy your Azure Active Directory tenant ID as it will be needed later. You can find the tenant ID by opening the Azure AD management console and clicking Properties:
Once complete, return to the NPS server and follow the steps below to complete the configuration.
To ensure everything will work properly Richard recommends that you perform validation testing at this point in the process. “With the NPS Extension for Azure MFA installed,” says Richard, “VPN client connections will now require the user to accept the MFA prompt on their Authenticator application.”
Richard finished off our time together by providing some additional information that is important to keep in mind when integrating Azure MFA with Always On VPN.
Featured image: Vector by Freepik
Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…
COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…
In this first of several articles on Ansible, we give you a high-level overview of…