Windows Security

Secure your Windows infrastructure with our miniOrange server that provides Single Sign On and 2-factor authentication solutions.

Windows Security - A complete guide to secure your windows infrastructure

This guide provides an introduction into some of the key solutions provided by the miniOrange Single Sign On server to secure your Windows infrastructure, some of them being able to authenticate into connected applications after you are logged in to your Windows domain, adding a 2nd layer of authentication when you are gaining access to protected resources through a VPN or a Remote desktop server, etc.

In any of the above cases, LDAP is a significant aspect since it has the advantage of consolidating the information for an entire organization into a central repository. miniOrange provides a wide range of solutions for LDAP, such as LDAP Proxy/Gateway, ​Support for multiple Active Directories as user stores, Active Directory Sync with the miniOrange server, etc.

Let's have a detailed look at the solutions.

I. Windows Authentication for SSO into connected applications hosted cloud/on-premise

You are logged in to your Windows system, and you want to log in to an application, say an on-premise app like Application Server ABAP or a cloud app like GSuite. Don't you get tired of logging in to each application with the same credentials every single time? Trust us, we can make it effortless for you.

miniOrange provides a solution which, once you are logged in to Windows, lets you Single Sign On into connected applications hosted both cloud and on-premise, given the applications are configured within the domain for SSO. You can configure intranet portals / applications like Google Apps, Office 365 etc. that will log you in automatically when tried to access.

miniOrange here, will install a component on the Windows Server that acts as an Identity Provider, which receives the request from the application requesting access, authenticates the user against LDAP and identifies if the user can be auto logged in to the app.

Some of the use cases & solutions involving LDAP are listed here:

​I. a. Desktop single sign-on using LDAP Gateway

​miniOrange LDAP Gateway allows login to publicly/privately hosted sites using credentials stored in Active Directory, OpenLDAP and other LDAP servers. If the LDAP Server is not publicly accessible from your site, this module can be used in conjunction with the miniOrange LDAP Gateway, which is deployed at the DMZ server in the intranet.

​I. b. LDAP Proxy

LDAP as a proxy acts as a middleware layer between the LDAP client, eg. ​​any​ ​​CMS ( Wordpress for eg.) and the Active Directory, the LDAP Directory Server.

​​I. c. ​Support for multiple Active Directories as user stores for the purpose of SSO

​This lets you configure multiple Active Directories in miniOrange for authentication, and which Active Directory is to be used for authentication into which application.​​

Eg, ​You can configure AD1, AD2,....ADN​ ​as an authentication source for apps. With this, users in all these directories will be able to single sign on into all the apps.

​​I. d. ​Sync between external LDAP directory and miniOrange IdP

​​When miniOrange is configured as an Identity Provider and LDAP is configured as an user authentication store, users from LDAP can be synced to miniOrange.​​

​If a user is created in​ ​​miniOrange, he can be created automatically in LDAP as well.​ ​​In addition, you will have the ability to schedule a sync between LDAP and miniOrange. E.g. A daily sync at a specified time​.

A noteworthy use case here is, You have a set of applications on your Windows system you want to SSO into after logging in to Windows, and the user credentials are stored in the Active Directory of the machine. We install an IDP component on the Windows server, that is responsible for SSO into the applications after Windows authentication. The users also have the provision to change their AD password in the miniOrange console and it would be synced to AD. There is also a directory sync tool that is extended with the LDAP gateway ( installed on the DMZ server in the intranet) that takes care of sync of users from AD to miniOrange. If the user tries to access the application from outside the system, he would be prompted for the credentials before he is allowed access.

II. ​2 Factor Authentication for VPN Login

If you are using a Virtual Private Network ( VPN ) to allow your users to connect over a public network, enhancing the security becomes a concern since users gain access to sensitive digital assets. miniOrange can be of great value here by providing 2-factor Authentication on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username / password.

miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.

The 2-factor authentication can be of two types depending on the VPN clients.

  1. VPN Clients that support RADIUS Challenge : User enters the username + password initially, and after validation, the challenge request for 2FA is sent. ( all authentication methods supported - OTP Over SMS, Google Authenticator, Out of band email. etc )
  2. VPN Clients that do not support RADIUS Challenge : User enters the username + password + 2FA code for validation. ( authentication methods supported - Google Authenticator, miniOrange Soft Token. etc )

    There are two types of authentication in this:

    1. The user enters the username + password and after validation, he is prompted for the 2-factor authentication code in the next screen.
    2. The user is prompted for the 2-factor authentication in the initial login screen along with his username and password.

III. ​2 Factor Authentication ​for Remote Desktop Service

​When users connect to a Remote Desktop Service, 2-factor authentication is essential to enforce high security protection of your business resources. Installing miniOrange 2-Factor Authentication for Windows Logon adds two-factor authentication to Windows login attempts over RDP.

The 2-factor authentication can be of two types depending on how the Remote App is launched.

  1. If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the username and password to get access to the resources. ( as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
  2. If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.