Windows Workstation (Endpoint) Protection
There are several important points to consider regarding workstations and the protection of logons/data on these endpoints.
Threat Modeling
Unlike remote network resources, workstations (especially mobile laptops) present a greater attack surface. In addition to subverting the OS logon itself, an attacker could choose to pull the hard drive and directly attempt to access the stored data. Therefore, solutions that only protect the OS logon itself may not be sufficient protection. Consideration should be given to the protection of stored data as well.
Full Drive Encryption
AuthLite does not provide its own branded/integrated full disk encryption. We recommend using BitLocker with TPM if possible, since this integrates seamlessly into Windows and does not require the entry of any additional credentials.1
Without drive encryption, endpoint protection is not effective against an attacker who steals the system or its hard drive. The attacker does not need to authenticate to the account, they can simply read data off the hard drive.
If you choose to use a third-party FDE solution that “synchronizes” with Windows user credentials (meaning you enter the username and password at boot time) then it will probably not work with AuthLite. AuthLite OTPs affect the Windows logon on workstations. At bestyour FDE will still just use your password. More likelyit will stop being able to synchronize properly with password changes and/or prevent AuthLite logons from working. At worstit could prevent you from decrypting your drive. You should contact your FDE vendor and follow whatever solution for strong authentication they support.
Untrusted workstations
With AuthLite version 2 and later, the credential data processed by a workstation cannot be reused in the future to gain another fresh Kerberos or NTLM session. By contrast, a malicious AuthLite v1 workstation could gather enough information to impersonate the user in the future. For more information see this KB article.
Known workstation limitations
If a user's session lasts long enough for their Kerberos ticket-granting ticket to expire, the workstation will attempt to acquire a new ticket in the background using the previously entered credentials. For 2-factor users this operation will fail, because (by design) the workstation does not possess the user's full credentials. Therefore, logon sessions that endure past the expiration of the Kerberos TGT will become unable to access network resources. Upon trying to access a resource without a valid TGT, Windows will automatically show a message to the user instructing them to lock and unlock the workstation to provide domain credentials.
1 This BitLocker+TPM authentication mode is quite secure for most threat models, however it is vulnerable to Cold Boot attacks. To protect against the threat model of an attacker chilling and removing a running workstation's DRAM, another approach should be considered.