VIP (Validation ID Protection)

Hello,

we are trying to configure VIP symantec as stated in topic name (only for users with VIP credential).

We are using this article:

https://support.symantec.com/en_US/article.INFO4267.html

it states that we put HKLM\Software\Symantec\CP\Options\EnablePartial2FA
EnablePartial2FA is of type String with a value of 1

But there is no such location in registry at Enterprise Gateway server. Are we looking at right place? There is only "Wow6432Node" with symantec folder and VIp Enterprise Gateway folder as subtree.

Thank you

br

Hello!

The EnablePartial2FA key is placed on the target Windows server that requires 2FA, not VIP Enterprise Gateway.  Here's an example with five Windows servers:

In this example, "VIP Enterprise Gateway" and "Domain Controller" are infrastructure servers and do not have multifactor authentication configured on them.  "App Server 1" does all IT to login.  All users must provide passwords.  All VIP users must also provide VIP.  Some non-VIP users (if any) can login with username+password only.

"App Server 2" is similar: all users require a password.  Only some VIP users are required to enter a VIP code (only the ones in one particular group, as configured on VIP Enterprise Gateway).

"App Server 3" is not configured for VIP, some only username + password is required.

Based upon the same set of users, "App Server 1" has the most authentication requirements (more secure), "App Server 2" is in the middle, and "App Server 3" has the least requirements, but these configurations are usually highly targetted to the IT users who need to access these systems.  The above options allow the creation of complex logic to suit the needs of today's Enterprises.

I hope this helps to clarify!

Maren

Hello Maren,

thank you for clarification!

Just one thing to further clarify , so this is just for Windows servers. What about for example if we want firewall VPN authentication being enabled to passthru some AD users from two-factor authentication, is this possible with VIP?

Or for example Exchange OWA ? Or any third-party application?

I have example from "DUO" solution it is called like this:

"New User Policy"  = "Allow unenrolled users to pass through without two-factor authentication".

Thank you in advanced.

Thank you Maren for clarification.

One more question if you can. What about when we want such passthrough functionalities on other services, even third party applications supporting RADIUS auth. For example 

- VPN on firewall

- Exchange OWA

- Any other third party app.

For example on DUO product there is function called "New User Policy - Allow unenrolled users to pass through without two-factor authentication"

Kind Regards

Damir

While each application is different, RADIUS-based applications generally make their own policy decisions.  This could mean that the server requires multifactor authentication from some users, from other users sometimes, and from still other users always.

With our plugin for Microsoft Credential Provider, we're involved on the target server and it is a configuration item to determine what is sufficient.  For RADIUS-based applications, we're not on the target server, so we can't determine what is / isn't sufficient there.

Planning for the user deployment phase is fraught with multiple challenges, but the actual rollout to users is generally very fast.  I certainly appreciate convenient options to the user - but at what point will we require 2FA from the users?  We can be configured for this deployment logic, but most organizations I've spoken with are interested in the final security design and not in intermediate security policies.

Again, I hope this helps!

Maren

Hello Maren,

thank You for answering.

However there are numerous cases where this kind of deployment (Partial 2FA from the server side) is NOT intermediate solution but FINAL deployment.

Native applications and services are most of the time not aware of 2FA and they have no facility to make decision whether 2FA will be required or not. But server could do it for them.

For example:

1. When there is 1 domain controler authenticating multiple customers or departments inside the company - only one customer buys 2FA service -  different VPN solutions used, so native RADIUS is required in those cases.

2. Authenticating READ/WRITE users on same FW with 2FA, while READ ONLY without it.

3. Every MSP would need it in many cases when users or customers are authenticated in ONE directory.

This kind of deployment logic is sometimes exactly what is required.

In my opinion, it should be offered, we are talking about enterprise solutions here, each enviromet is different. We have demand for this.

Hello,

is there someone who knows how to solve this?

Thanks.

--

Vedran

Vedran:

I agree - RADIUS is probably demanded in constrained environments where we need more flexibility.  I like your item 2 use case especially because it clearly shows a need to separate, conceptually, how AUTHENTICATION works from how AUTHORIZATION works.  Once we can think about these as two separate but related tasks we can begin to address more complicated scenarios with diverse components and needs.

If you'd like to discuss this more in detail, I suggest opening a new thread so that we can explore it in detail there and keep this one tidy (and we can link to this one from there).

Is this helpful?

Maren