On the Internet, everyone is equadistant. There is no bias against who you are, and how big your company is when an attacker may simply not know the target. When connected to the Internet, everyone is at risk.
Small businesses have the same types of risks as the enterprise. And in many cases they don't have the budget, time, or people to address such risks. Microsoft has come to market with Windows Small Business Server to combat that by delivering enterprise-class solutions for that market. Those include Remote Web Access, Virtual Private Networking and Remote Desktop Services.
Each offers compelling productivity enhancements to allow staff to have virtually anywhere, anytime access to office resources. Which in itself also opens new risks. At Scorpion Software, we deliver solutions that can help reduce these risks to an acceptable level.
Remote Access via the web
Think about withdrawing money from a bank ATM machine for a moment. How does that work? You need your bank card plus a PIN code, right?
Your bank requires your card to be placed into the ATM machine, and that you enter in your matching PIN code on the pin pad. It doesnt allow you to do a lot of guessing before locking out your account access. Based on the combination of you HAVING the card, and KNOWING the PIN, you can withdraw money from virtually any bank ATM machine in the world that can communicate with your financial institution. This is exactly how two-factor authentication works: you need to have a unique physical key plus know a private PIN code.
RWWGuard enforces the same combination for the physical key device plus PIN code, adding that requirement in addition to providing your Active Directory account username and password. To remotely access a Small Business Server or Essential Business Server protected by RWWGuard, now it takes something you must HAVE (an AuthAnvil hardware token) and something you KNOW (your pin code). At the same time, your logon will continue to request your domain account and password to determine the level of access your account is allowed, just as it did before. If either device/PIN or account/password are not validated, no logon session is provided. This means introducing RWWGuard to your business is rather easy with a low barrier to entry, since you dont need to change anything else in your normal day to day operations. Inside the network everything continues to works the same way, so there is no need to retrain anyone connecting from outside besides requiring the key device and PIN to be used when they access RWW through the added layer of protection enforced by RWWGuard.
This multi-factor approach will ensure the identity of the user coming in actually is who you expect. So even if someone HAS obtained your Active Directory username and password, its useless to them without also having the authentication token and your pin code. With most hardware tokens like AuthAnvil, Cryptocard and SecurID the combination of the users private pin and a uniquely generated 6 to 8 digit code creates a one time password (OTP) that cannot be guessed. This OTP is then provided to RWW, and must be authenticated before a login can take place.
Remote Access via VPN
A mobile workforce is a great asset to a business, and a great liability. The use of virtual private networking (VPN) allows businesses to provide remote access to corporate information assets. Unfortunately, VPN is only as secure as the endpoints; a weak password system can expose your business to great risk as there is no way to reliably prove the identity of the remote user that is using that credential. When using AuthAnvil, you can get the identity assurance that you need.
The growth of remote access for telecommuters and employees in the field has driven the use of virtual private networking (VPN) for many businesses connected to the Internet. This creates a secure tunnel between the remote worker and the corporate network to protect data in transit over an unsecure network like the Internet. This is typically done using Secure Socket Layer (SSL) or IP Security (IPSec).
Unfortunately, VPN alone does not provide assurance that this remote workforce is who they say they are. A virtual private network that doesnt use strong authentication isnt that private at all. If a users password can be captured and used, an adversary can easily gain access to corporate information assets without anyone even knowing, as long as they have access to the VPN client software.
This becomes even more of a concern when using SSL VPNs. While easier to deploy than typical VPN solutions, SSL VPNs become easier targets for hackers as there are no special configuration or client software to install... they just need to have a web browser present. The need for strong authentication becomes more evident as you consider just what sensitive and proprietary information assets are then exposed through the use of a simple web browser.
Securing the data in transit is indeed important. That is what VPN is good at. However, reliably proving who is accessing that data... thats the job for strong authentication. Delivered through AuthAnvil Two Factor Auth.
Remote Access via Remote Desktop Services
When a password is compromised, the results can be disastrous to a company. Adversaries can pose as trusted users and access or destroy privileged and confidential information. In a Windows network the risks are further compounded by the fact a single Active Directory password credential will open up access to resources all over the organization. From company database resources to the corporate SharePoint intranet, an account that is breached can cost a business highly in financial loss, lost productivity and the potential of a damaged reputation.
The AuthAnvil Windows Logon Agent offers companies the ability to add strong two-factor authentication to Microsofts Windows client and server operating systems. It provides a simple and consistent logon experience no matter if they logon at the local desktop or through a terminal session. And it offers identity assurance by requiring users to provide their AuthAnvil passcode during the logon process.