Windows Login Protection

ESA features local login protection for Windows in a domain or LAN environment. To utilize this feature, the Windows Login component must be included during installation of ESA. Once installation is finished, access ESA Web Console, navigate to Components, click Windows Login. The list of computers where the Windows Login component of ESA is installed will display. From this screen you can enable/disable 2FA protection per computer.

windows_login_computers

If you have a long list of computers, use the Filter field to search for a specific computer by typing its name.

If the Windows Login component of ESA version 2.6 or later is uninstalled from a particular computer, the computer will be removed from the Computer List of ESA Web Console automatically. A computer entry can be deleted manually also from the Web Console. Select a computer entry and click Delete, or hover a computer, click icon_hard_token_actionsand select Delete. Click Delete in the confirmation window also. If a computer entry is removed from the Computer List but the Windows Login component is not removed from the particular computer, the computer will show up again in the Web Console with default settings.

Click Settings tab to see available settings.

windows_login_settings

From this screen you can see various options to apply 2FA, including the option to apply 2FA protection for Safe Mode, Windows lock screen and User Account Control (UAC).

important

Windows 10 - second factor is not required to authenticate

Windows 10, from build version 1709, introduced the option to allow automatic sign-in after an update or restart. That option is enabled by default unless the user account belongs to a domain. With that option enabled, the default setup of Windows Login protection by ESA will not request the second factor after OS update or restart, because Windows behaves as if the user locked the computer opposed to signing off. Either disable that automatic sing-in option, or turn on the Protect access with 2FA on Windows Lock screen option.

If the machine where the Windows Login component of ESA is installed, must be offline part of the time and you have users who have SMS authentication enabled, you can enable Allow access without 2FA for users with SMS-based OTP or Mobile Push authentication only.

If a user using SMS delivery for OTP  wants to have an OTP re-sent, they can close the window requiring OTP and after 30 seconds enter their username and password again to receive a new OTP.

2FA protection cannot be bypassed by any attacker even if the attacker knew the username and password, thus providing better protection of sensitive data. Of course, we assume the hard drive is not accessible by the attacker or the content of the drive is encrypted.

We recommend to combine 2FA protection with whole disk encryption to mitigate the breach risk if an attacker has physical access to the disk.

note

2FA enabled for offline mode

If 2FA protection is enabled for offline mode, all users whose accounts are secured by 2FA and who want to use a 2FA-protected PC must log in to that PC for the very first time while the PC is online. By 'online' we mean that the main computer where Authentication Server of ESA is installed and the ESET Secure Authentication Service service is running and  can be pinged from the 2FA-secured computer.

If the Windows Login component is installed on the same computer where Authentication Server is installed and 2FA protection for Safe Mode is enabled on that computer while offline mode is disabled (Do not allow access  is selected in Offline behavior section), then the user will be allowed to log in to Safe Mode (without networking) without OTP.

The offline mode allows to log in 20 times using valid OTP each time. If the limit is exceeded, the machine needs to be online when trying to log in. Whenever the machine is online while trying to log in, the limit counter is reset.

note

Note

OTPs generated by a time-based hard token are not stored in the offline cache of Windows Login plugin.

To allow specific users to log on to certain computer(s) only in an Active Directory environment, configure a "Deny log on locally" policy.

Windows 10 login secured by ESA after entering a valid username and password, users will be prompted to approve login on their Android/iOS mobile device or Android/Apple watch, or to enter an OTP :

win10_login_OTP_required