Authentication Security

Enable Multi Factor Authentication

The ICS must be configured to use multifactor authentication for network access to nonprivileged accounts.

To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.

Multifactor authentication (MFA) must be implemented for all user authentication processes, ensuring at least two or more distinct factors are used to verify identity. The use of passwords alone for remote access, particularly for non-privileged accounts, is not authorized and should be strictly avoided. Additionally, except for specific administrative realms with unique flow requirements (which must also follow stringent controls), all other realms within the environment must be configured to enforce MFA as well.

It is strongly advised to review and align these configurations with the latest guidance and best practices outlined in CISA's cybersecurity recommendations, ensuring compliance with the latest security protocols and standards.

Factors include:

•Something you know (e.g., password/PIN);

•Something you have (e.g., cryptographic identification device, token); or

•Something you are (e.g., biometric).

A nonprivileged account is any information system account with authorizations of a nonprivileged user.

Network access is any access to a network element by a user (or a process acting on behalf of a user) communicating through a network.

The following configuration is an example of how to configure multifactor authentication.

Configure the user realm to use PKI and the site's authentication servers. A sign-in policy is then applied in accordance with the site's access configuration.

1.In the ICS Web UI, navigate to Authentication > Auth Servers.

2.Click New Servers. Under server type, select Certificate Server > New Server.

3.Type a Name. Under User Name template type this exactly: <certAttr.altname.UPN>

4.Click Save Changes.

5.Navigate to Authentication > Auth Servers.

6.Click New Servers. Under server type, select LDAP Server > New Server.

7.Type a name for the primary LDAP server domain.

8.LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).

9.LDAP port: 636 (this is for LDAPS).

10.Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).

11.Backup LDAP Port1: 636.

12.If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.

13.LDAP Server Type: Active Directory.

14.Connection: LDAPS.

15.Ensure Validate Server Certificate is checked.

16.Connection Timeout: 15.

17.Search Timeout: 60.

18.Scroll down to the bottom and click Save Changes. Click Test Settings to ensure valid communications are possible.

If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed as this will cause LDAPS certificate issues.

19.Under authentication required, click the box for Authentication required to search LDAP.

20.Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=xxx,DC=mil

21.Enter the service account's password.

22.Under Finding user entries, add the base DN of the domain as an example format: DC=DOD,DC=mil

23.Under filter, use this specific attribute configuration: userPrincipalName=<USER>

24.Under group membership, add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=xxx,DC=mil

25.Under filter, use the following: cn=<GROUPNAME>

26.Under member attribute, use the following: member.

27.Click Save Changes.

28.Now back in the same LDAP server configuration screen, scroll down and click the Server Catalog hyperlink.

29.Under attributes, click New, Type: userPrincipalName, and click Save Changes.

30.Under groups, click Search. In the search box, type the group name used for user logins.

31.Check the box next to the group that is found and click Add Selected.

32.Repeat these steps for all various groups needed for various user/computer roles on the ICS system.

In the ICS Web UI, navigate to Users > Users Realms.

1.Click the user realm being used for remote access VPN logins.

2.Under servers, go to Authentication and select the certificate authentication realm created that included the customized User template of <certAttr.altname.UPN>.

3.Under Directory/Attribute, select the previously created LDAP server.

4.Configure the Endpoint Policy Check using Host Checker.

5.Click Save Changes.

6.Go to the Role Mapping tab.

7.Click New Rule.

8.Select Rule based on Group Membership and click Update.

9.Type a name for this rule.

10.Select is.

11.Type the group name exactly as it appears as the CN LDAP attribute.

12.Select the role needed for these VPN logins.

13.Click Save Changes.

Endpoint Compliance Check

To configure a Host Checker policy, perform these tasks:

To create a Host Checker rule using Predefined Malware or Predefined OS Check rules:

1.In the admin console, select Authentication > Endpoint Security > Host Checker.

2.Create a new policy or click on an existing policy in the Policies section of the page.

3.Under Rule Settings, choose one of the following options and click Add:

For example,

•Predefined Malware

•Predefined OS Checks

The predefined rule page opens.

•In the Rule Name field, enter an identifier for the rule.

•Under Criteria, select the specific malware or operating systems that you want to check for and click Add. (When checking for an operating system, you may also specify a service pack version.)

When you select more than one type of software within a predefined rule, Host Checker considers the rule satisfied if any of the selected software applications are present on the user's machine.

4.Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the system initiates a new handshake to re-evaluate realm or role assignments.

•Use this option only for dynamic rules, such as checking whether Real Time Protection is enabled on the antivirus software. Use the host checker update frequency to monitor other rules periodically.

•Monitor this rule for change in result for port check is applicable only for Windows and not for Linux or MAC machines.

5.(Optional) Select Enable Custom Instructions, to provide detailed instructions or description in the form of HTML. or plaint text.

6.Click Save Changes.

7.Optionally add additional rules to the policy, specify how Host Checker should evaluate multiple rules within the policy, and define remediation options.