Business-Grade Windows 10 Multi Factor Options

[aubryscully]

Hey guys, the place I work at has approximately 3500 Windows 10 boxes. They are all linked through AD as well as SCCM. We are planning on implementing Bitlocker on all of them soon. We are wanting to deploy some form of Multi Factor Authentication for the Windows login. Ideally, a user would need to type in a PIN, Use Windows Hello for Business to do a face scan or fingerprint scan, and also either insert something like a Yubikey or press a button on their smartphone (like Duo) in order to be logged into Windows. After looking around for a bit, I am a bit lost as there seems to be nothing out there that would do what we are wanting. Is there anything that yall are aware of that I should be looking into? Thanks.

 

@leadeater Any thoughts? 

[LUUD18]

https://technet.microsoft.com/en-us/library/dd277362.aspx

 

http://www.infosecisland.com/blogview/23657-Smart-Card-Logon-The-Good-the-Bad-and-the-Ugly.html

 

They use that in a banking company here in the netherlands. You have to type password and put the card in.

[Guest]

If your W10 machines have a TPM, then you can definitely make use of Bitlocker - you can still use it if not, it will just require a flash drive which isn't exactly ideal - with the option for PINs on startup (IIRC it can be configured to only ask for the PIN if it's not connected to your domain or on every startup) with the recovery keys and such being backed up to your AD (this has to be configured through your AD and with group policies). 

 

 

The following should have everything you need: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview 

[leadeater]

10 hours ago, aubryscully said:

Hey guys, the place I work at has approximately 3500 Windows 10 boxes. They are all linked through AD as well as SCCM. We are planning on implementing Bitlocker on all of them soon. We are wanting to deploy some form of Multi Factor Authentication for the Windows login. Ideally, a user would need to type in a PIN, Use Windows Hello for Business to do a face scan or fingerprint scan, and also either insert something like a Yubikey or press a button on their smartphone (like Duo) in order to be logged into Windows. After looking around for a bit, I am a bit lost as there seems to be nothing out there that would do what we are wanting. Is there anything that yall are aware of that I should be looking into? Thanks.

 

@leadeater Any thoughts? 

Not sure what bitlocker is like now but we tried it around 2012 ish and it was utter shit. I know a few things have changed to impove it but make sure you do some really good testing, particularly idiot testing (I forgot everything now my laptop is locked).

[LUUD18]

7 hours ago, leadeater said:

Not sure what bitlocker is like now but we tried it around 2012 ish and it was utter shit. I know a few things have changed to impove it but make sure you do some really good testing, particularly idiot testing (I forgot everything now my laptop is locked).

The sysadmins have backup codes which they can reset the bitlocker with.

[leadeater]

3 hours ago, LUUD18 said:

The sysadmins have backup codes which they can reset the bitlocker with.

Early bitlocker backup codes were clunky to use and unreliable and how it was done differed depending on which method you chose, TPM chips fixed most of these problems. It was 100% possible to not be able to unlock a device back then and very easy to get in that situation, that is why we didn't implement it at the time.

[Guest]

12 hours ago, leadeater said:

Not sure what bitlocker is like now but we tried it around 2012 ish and it was utter shit. I know a few things have changed to impove it but make sure you do some really good testing, particularly idiot testing (I forgot everything now my laptop is locked).

 

2 hours ago, leadeater said:

Early bitlocker backup codes were clunky to use and unreliable and how it was done differed depending on which method you chose, TPM chips fixed most of these problems. It was 100% possible to not be able to unlock a device back then and very easy to get in that situation, that is why we didn't implement it at the time.

Recovery keys can be backed up automatically to your AD, and I think we actually store their PIN in there somewhere too 

[aubryscully]

@leadeater @LUUD18 @AUniqueName Do yall have any experience/thoughts on Sophos Safeguard Encryption?

[leadeater]

1 minute ago, aubryscully said:

@leadeater @LUUD18 @AUniqueName Do yall have any experience/thoughts on Sophos Safeguard Encryption?

Nope.

 

Also are you looking to secure the networking side of things too? If so have a look in to implementing RADIUS/Wired Auth/802.1x as well so computers or network devices don't get full network access until after authentication.

[aubryscully]

1 minute ago, leadeater said:

Nope.

 

Also are you looking to secure the networking side of things too? If so have a look in to implementing RADIUS/Wired Auth/802.1x as well so computers or network devices don't get full network access until after authentication.

Not really. I am not involved with the networking team at all. I am solely part of the desktop environment side of things. Thanks for the help though!

[Guest]

2 hours ago, aubryscully said:

@leadeater @LUUD18 @AUniqueName Do yall have any experience/thoughts on Sophos Safeguard Encryption?

I don't, and don't really know enough about it to be able to offer advice, sorry.

 

I've not ever actually deployed any kind of disk encryption on static devices, only ever laptops and even then it's been BitLocker + PIN