Can't log on locally

ManieyaK_
ManieyaK_ used Ask the Experts™
on
Hello Experts, to satisfy the NIST 800-171 requirement for Dual Authentication for privileged accounts we have a way to do this, but we must disable Local Policy to prevent local logons.  The solution we're toying with now is using our KVM to connect remotely.  Only concern if for what ever reason the KVM fails & we have disabled local logons, how would we get past this?

We're running Server 2008 R2 environment.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I don't know how you are set up, but one idea jumps to mind.  

You  could use a VPN

You would need to authenticate on the VPN, before staring an RDP session to the server.  

If you are on the same site, rather than external, then you could still set this up.  -Create another LAN/VLAN and VPN to it.  give this LAN/VLAN a route to the production LAN and restrict RDP logons to IP's in the protected segment.  

Dual auth would be VPN auth + Windows Auth

Cisco 1800's are dead cheap on ebay.  You could use one of these to vpn to and to route back to the main LAN
Distinguished Expert 2017
Commented:
Dual I presume you two factor authentication where a second component is needed I.e. RSA keyfab or similar.

You need to clarify "no logon" locally, this meaning on console I.e allowing logons via rdp?

KVM is a mechanism to provide console access without the need to be present in front of the system.

Depending on the requirement for two factor authentication, a VPN + RDP would not count potentially, the same credentials to setup the Bon are the credentials to login via RDP .

Commented:
In my solution the credentials are unlikely to be the same.  Cisco users are not Windows Users

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial