Adding an extra layer of authentication

I would like to add a second layer of security for our admin website.  This is for internal staff only but needs to be public on the internet so we can access it from anywhere.   I currently have a website form asking for username and password, I was interested in an extra layer...

I used to use Basic Authentication for the extra network login - but since it's clear text, i am afraid someone will get the username and password and be able to login to my server directly!

I cannot lock down to a specific IP address as employees can connect from the road or home.    

Does IIS 8 offer anything better than Basic Authentication now?  Or what can I do?   I think I saw Windows Authentication - is that better?

Thanks


Using = Windows 2012, IIS 8, Coldfusion 11
LVL 39
gdemariaAsked:
Who is Participating?
 
Cliff GaliherCommented:
Basic Authentication itself is over clear text, but if the site is SSL secured then the entire stream is secured behind SSL.

Although replacing one password with two isn't generally effective. It is just an impediment to legitimate end users without much actual security benefit.

IIS is extensible so there are plenty of options that you can use (write, or buy) that can secure a site. You will want to check with your software vendor who manages/wrote/supports this "admin website" to see what they support though. It is possible to install something that doesn't play well (Both the blessing and curse of an extensible platform.)

Some options include certificate based authentication. That way it is a true 2FA scenario, but not yet another password to remember. The user has to know the admin website password *and* has to have a certificate you issued to them. There are 3rd-party 2FA/MFA options on the market as well, such as yubikey, RSA keyfobs, Scorpionsoft. Or you could put the site behind the Windows Server 2012's web-application-proxy, and secure it with Azure AD, which supports MFA via PhoneFactor.

So you have options. Plenty of options actually. But all take due diligence and have some legwork to configure. There is no "quick" answer for what you've asked, and it is broad enough that it also cannot be answered with any more specificity.
0
 
gdemariaAuthor Commented:
Thanks very much
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.