Adding an extra layer of authentication

I would like to add a second layer of security for our admin website.  This is for internal staff only but needs to be public on the internet so we can access it from anywhere.   I currently have a website form asking for username and password, I was interested in an extra layer...

I used to use Basic Authentication for the extra network login - but since it's clear text, i am afraid someone will get the username and password and be able to login to my server directly!

I cannot lock down to a specific IP address as employees can connect from the road or home.    

Does IIS 8 offer anything better than Basic Authentication now?  Or what can I do?   I think I saw Windows Authentication - is that better?


Using = Windows 2012, IIS 8, Coldfusion 11
LVL 39
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Basic Authentication itself is over clear text, but if the site is SSL secured then the entire stream is secured behind SSL.

Although replacing one password with two isn't generally effective. It is just an impediment to legitimate end users without much actual security benefit.

IIS is extensible so there are plenty of options that you can use (write, or buy) that can secure a site. You will want to check with your software vendor who manages/wrote/supports this "admin website" to see what they support though. It is possible to install something that doesn't play well (Both the blessing and curse of an extensible platform.)

Some options include certificate based authentication. That way it is a true 2FA scenario, but not yet another password to remember. The user has to know the admin website password *and* has to have a certificate you issued to them. There are 3rd-party 2FA/MFA options on the market as well, such as yubikey, RSA keyfobs, Scorpionsoft. Or you could put the site behind the Windows Server 2012's web-application-proxy, and secure it with Azure AD, which supports MFA via PhoneFactor.

So you have options. Plenty of options actually. But all take due diligence and have some legwork to configure. There is no "quick" answer for what you've asked, and it is broad enough that it also cannot be answered with any more specificity.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gdemariaAuthor Commented:
Thanks very much
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.