Can't log on locally

Hello Experts, to satisfy the NIST 800-171 requirement for Dual Authentication for privileged accounts we have a way to do this, but we must disable Local Policy to prevent local logons.  The solution we're toying with now is using our KVM to connect remotely.  Only concern if for what ever reason the KVM fails & we have disabled local logons, how would we get past this?

We're running Server 2008 R2 environment.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I don't know how you are set up, but one idea jumps to mind.  

You  could use a VPN

You would need to authenticate on the VPN, before staring an RDP session to the server.  

If you are on the same site, rather than external, then you could still set this up.  -Create another LAN/VLAN and VPN to it.  give this LAN/VLAN a route to the production LAN and restrict RDP logons to IP's in the protected segment.  

Dual auth would be VPN auth + Windows Auth

Cisco 1800's are dead cheap on ebay.  You could use one of these to vpn to and to route back to the main LAN

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dual I presume you two factor authentication where a second component is needed I.e. RSA keyfab or similar.

You need to clarify "no logon" locally, this meaning on console I.e allowing logons via rdp?

KVM is a mechanism to provide console access without the need to be present in front of the system.

Depending on the requirement for two factor authentication, a VPN + RDP would not count potentially, the same credentials to setup the Bon are the credentials to login via RDP .
In my solution the credentials are unlikely to be the same.  Cisco users are not Windows Users
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.