Enhanced ADFS protection for securing cloud services
Allows authorized users to continue accessing cloud-based services even when their account is under DDoS attack
ADFS – an enterprise security risk
Active Directory Federation Services (ADFS) is an authentication service developed by Microsoft that allows the secure sharing of identity information between trusted business partners across an extranet and the company’s local Active Directory.
Enterprises utilizing cloud services, such as Office 365, typically use ADFS to extend their end users’ single sign-on (SSO) access to applications and systems outside the corporate firewall. Allowing an external service to authenticate against your local Active Directory (AD) presents a security challenge, and puts ADFS at risk for Distributed-Denial-of-Service (DDoS) attacks. Even without the password, an attacker can easily lock an account simply by sending failed login attempts with the employee’s user name, a value that is easily exposed.
Microsoft Windows 2012 Extranet Lockout protection limitations
Traditional solutions such as the built-in Windows 2012 Extranet Lockout protection – a part of the Windows 2012 server – fail to provide a workable solution for most enterprises. Once the software detects an attack, the Extranet Lockout is activated and ALL external access is denied, with no exceptions. This means that while the internal account remains secure, legitimate users are still unable to access the account through ADFS, causing significant disruption to business operations. As more and more services depend on ADFS, the impact of DDoS is more significant.
In addition, Windows 2012 Extranet Lockout fails to fully protect the AD account from all lockouts. AGAT has identified and demonstrated the ability to lock Active Directory accounts even when the ADFS Extranet Lockout feature was configured to block account lockout. SphereShield for ADFS’ robust solution addresses this vulnerability, ensuring the enterprise extranet is secured in all scenarios.
Enhanced ADFS protection
SphereShield for ADFS is a proprietary security solution that allows legitimate users to continue accessing their cloud-based services even when their account is under attack. Developed by AGAT Software, an innovative security provider specializing in external access, authentication and data protection solutions, SphereShield for ADFS delivers new-generation ADFS protection against automated attacks/bots and human-based attacks.
Security for business critical applications
Utilizing adaptive authentication options based on real time data analysis, SphereShield for ADFS offers more robust protection than Windows 2012 Extranet Lockout Protection. An advanced management portal enables proactive analysis, detection and auditing of security incidents. SphereShield for ADFS provides enterprises with peace of mind of knowing that their business critical applications are well secured.
Account lockout protection: AGAT Software’s authentication and data protection solutions are widely deployed and successfully securing global enterprise applications across a range of industries. The new-generation SphereShield for ADFS builds on AGAT’s proven ADFS security solution by solving the issue of extranet lockout that prevents legitimate users from being able to sign in while their account is under attack.
Multi-factor security features: Using a range of parameters to identify authorized user authentication, SphereShield for ADFS offers adaptive authentication methods based on real-time risk assessment. Threats can be identified based on geolocation, device identifiers and behavior profiling.
Security dashboard portal: SphereShield for ADFS offers enterprises an advanced tool for real-time monitoring and data collection of security events, failed login monitoring, data auditing including information such as user, device, IP, geo- location, as well as reports analyzing user behavior and data.
SphereShield has developed an innovative security solution for smart card authentication enabling safe mobile Skype for Business (Lync) access for organizations with a network policy that requires their workers to use smart card login.
The simple and easy-to-implement security solution allows organizations to continue maintaining the smart card authentication policy enabling mobile users connect to the corporate network from any outside network without using Active Directory credentials.”
The need for the solution arose from the growing number of organizations that provide their workers with a smart card device to strengthen the identity authentication process. These organizations face a problem while implementing Skype for Business mobile authentication requiring the user to enter his or her Active Directory (AD) credentials.
In such organizations, users do not have Active Directory credentials as they use the smart card for authentication instead. This in turn may cause a problem, as Microsoft Skype for Business requires Active Directory credentials to connect from handheld devices.
SphereShield’s smart card solution addresses this challenge by applying the authentication process in two separate steps:
- The user creates dedicated Skype for Business credentials from a self-service registration web site after using his/her smart card for authentication to the site from a PC.
- The user then needs to connect his/her mobile device within a limited time frame by entering the dedicated Skype for Business credentials on the mobile device.
During the first authentication attempt, the device is registered to add Two Factor Authentication (TFA) for external Skype for Business clients.
- Ability for authorized users to continue using ADFS even while under an attack
- Enhanced ADFS security against automated/human attacks
- Account lockout (DDoS) protection
- Security auditing logs and reports
- Mitigation of ADFS Extranet Lockout Protection’s vulnerability
- Live Geo location map
- Geo fencing rules
- IP based restrictions
- Security auditing and reports
- Authentication risk engine
- Simple and transparent deployment
- No end user training required
Get a Free Trial
Sign-up for a free trial and demo with a SphereShield expert