ESET Online Help

Search English
Select the topic

Windows Login Protection

ESA features local login protection for Windows in a domain or LAN environment. To utilize this feature, select the Windows Login component during ESA installation. When the installation is complete, access the ESA Web Console, click Components > Windows Login. The list of computers where the Windows Login component of ESA is installed will display.

Click a computer to enable/disable 2FA protection or non-2FA access. To to enable/disable 2FA protection or non-2FA access for several computers at once:

  1. Select the check box of desired computers.
  2. Click 2FA, select the desired option.
windows_login_computers_cloud

If you have a long list of computers, use the Add filter to search for a specific computer by name, company, and more.

If the Windows Login component of ESA version 2.6 or later is uninstalled from a particular computer, the computer will be automatically removed from the Computer List of ESA Web Console. A computer entry can be deleted manually also from the Web Console. Select a computer entry and click Delete. Click Delete in the confirmation window also. Suppose a computer entry is removed from the Computer List, but the Windows Login component is not removed from the particular computer. In that case, the computer will show up again in the Web Console with default settings.

Click the Settings tab to see available settings.

windows_login_settings_cloud

From this screen, you can see various options to apply 2FA, including the option to apply 2FA protection for Safe Mode, Windows lock screen, and User Account Control (UAC).

Suppose the machine where the Windows Login component of ESA is installed must be offline part of the time, and you have users who have SMS authentication enabled. In that case, you can enable Allow access without 2FA for users with methods which do not work in offline mode (SMS-based OTP, Mobile Push, time-based OTP).

If a user using SMS delivery for OTP wants to have an OTP re-sent, they can close the window requiring OTP, and after 30 seconds, enter their username and password again to receive a new OTP.

2FA protection cannot be bypassed by an attacker even if the attacker knows the username and password, thus providing better protection of sensitive data. Of course, we assume the hard drive is not accessible by the attacker, or the drive's content is encrypted.

We recommend combining 2FA protection with whole disk encryption to mitigate the breach risk if an attacker has physical access to the disk.


note

2FA enabled for offline mode

If 2FA protection is enabled for offline mode, all users whose accounts are secured by 2FA and who want to use a 2FA-protected PC must log in to that PC for the first time while the PC is online. By 'online',we mean that ESET Secure Authentication can be pinged from the 2FA-secured computer

The offline mode allows to log in 20 times using valid OTP each time. If the limit is exceeded, the machine needs to be online when trying to log in. Whenever the machine is online while trying to log in, the limit counter is reset. You can increase the number of offline login limit in the Web Console at Components > Windows Login > Settings > Number of offline OTPs.


note

Time-based OTPs are not cached

OTPs generated by a time-based hard token or time-based OTPs generated by the mobile application are not stored in the offline cache of Windows Login plugin.

Suppose Windows 10 login is secured by ESA. After entering a valid username and password, users will be prompted to approve login on their Android/iOS mobile device, or Android/Apple watch, or to enter an OTP.

win10_login_OTP_required