Oct 31 2016 11:59 AM
Our police department currently connects to the VPN, then connect to their various applications. Because of the nature of the information they pass, they must be on the VPN, however we have been mandated to implement mfa at windows login. We have ADFS, CISCO VPN... Any idea where to start or how to make this work?
Nov 01 2016 01:43 AM
I'm not an expert in this, but I don't believe there's a native way to do Multi Factor Authentication on Active Directory (Windows Login). You'd need to look at a 3rd party solution (and there are many).
MFA for ADFS only secures login to web apps after the desktop login has been processed.
Happy for someone to correct me though!
Nov 01 2016 02:27 AM - edited Nov 01 2016 02:52 AM
What version of Windows do they have on their devices? If they have Windows 10 there are many new features to enhance login security for this type of scenario, (some of them depend on the capabilities of the hardware), see https://technet.microsoft.com/en-us/itpro/windows/whats-new/security
What version of Windows Server do they have? Upgrading to 2016, will provide many benefits in this area, see https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-20...
You can set up MFA in Azure or On-premises, see https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started/.
With Azure MFA, you can use it with Conditions, i.e, the location, the device, the application can all be used to determine when the second factor is required. It should not be needed ALL of the time, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread...
Instead of VPN, you could use Azure AD Application Proxy to provide access back into the on-premises applications, see
Jan 19 2017 05:50 AM
You can use a comprehensive VPN for Windows which provides a corporate solution as well. The most secure encryption level for secure and sensitive data transfer must be OpenVPN with AES 256-bit encryption. This is so far not broken by any security agency. For more information on this, read the Best VPN for Windows