Shulou(Shulou.com)06/02 Report--

E-mail has become more and more important in today's business applications. A few months ago, a well-known consulting firm encountered the most serious problem in its history. * * successfully gained sufficient access to more than 5 million emails and a large number of customers' intellectual property and sensitive information may be leaked. This is the third major information security incident in a row that has affected the global economy after the Equifax and SEC*** incidents of the Securities and Exchange Commission. In order to protect electronic security, many organizations have begun to introduce multi-factor authentication (MFA,Multi-Factor Authentication).

In Office365, MFA has been supported for a long time, so for both pure O365 users and mixed deployment users, it is convenient to use MFA with O365 and MFA, or Azure AD, but for locally deployed Exchange mail systems, can you also use MFA to ensure email security if necessary?

Yes, of course, but if it is fully local (local AD, local Exchange), there will be some restrictions, because the Exchange OWA interface does not support windows such as entering CAPTCHA. For the following four authentication methods, only phone calls are supported, that is, after the user enters the user name and password, the reserved phone will receive an incoming call, requiring the user to press the # key to confirm. Or enter a pre-set PIN code (it is up to the administrator to determine which setting to use)!

Two-factor authentication method supported by Azure AD

The phone call calls the registered phone number of the user. The user enters PIN if necessary, and then press the # key.

The SMS sends a text message containing a 6-digit verification code to the user's mobile phone. The user enters this CAPTCHA on the login page.

The mobile application notification sends an authentication request to the user's smartphone. The user enters PIN if necessary, and then selects "verify" on the mobile app.

The mobile application CAPTCHA that runs on the user's smartphone will display the CAPTCHA, which will be changed every 30 seconds. After finding the latest CAPTCHA, the user enters the CAPTCHA on the login page.

Third-party OATH tokens can configure the Azure multiple authentication server to accept third-party authentication methods.

Next, if you implement the multi-factor authentication method in Ad and Exchange of On-Premises!

1. First of all, you must have an Azure subscription (which may not be related to your On-Premises). Go to the AD/MFA server, server settings, and find: download MFA service software

2. You can also download it directly from the following address:

Https://www.microsoft.com/en-us/download/details.aspx?id=55849&WT.mc_id=rss_alldownloads_all&download=mfa&clcid=0x4

3. After the download is completed, run the installer on the Exchange server (OWA), prompting you to install the two components first.

4. Start the MFA Server installation after completion, and select the installation directory

5, the installation process is very simple, click next, the installation can be completed!

6. You will be prompted to enter Email/password at the beginning of the first time. Note that this is not one of your mailboxes, but a user-activated Azure mailbox and password generated in the Azure subscription.

7. In Azure management, AD/MFA server, server settings, click generation, and Copy the generated email address and password to MFA Server in the figure above.

8. Point activation

9. Activate and select an existing group, or create a new MFA group

10. Confirm the interface after completion

11. First, you need to import users from AD. Under User, enter Import From AD

12. Select the domain, OU, user, etc. You can import the entire AD user according to your needs, or you can import only one OU.

13. After selecting, click Import, and the corresponding user will be entered into the User list of MFA.

14. Next, we need to configure the users we need. Note that the phone number and country code must be normal, and then in Phone Call, enable

15. Select IIS Authentication and add an OWA HTTP address

16. Select the OWA directory where FMA needs to be enabled. If you need to enable OEA/ECP, check these two items, and then check the Enable IIS Authentication above.

17. Here, the configuration is complete! Now open OWA on the computer, enter the user name and password, and click on login.

18. Login success or failure will not be immediately displayed. You need to wait for phone confirmation. The phone you set up here will receive a call from a strange number. If you do not answer it or hang up, OWA will indicate that the user name and password is incorrect and login failed!

19. If you connect normally, press the # key to verify according to the voice prompt

20. After verification, OWA can log in normally!

21. The default voice prompt is English, and you can change it to the local language according to the user, such as Chinese, so that the voice prompt heard by the user will become Chinese!

22. If you use the method of selecting PIN code for verification, when you log in, you need to enter a preset PIN code to complete the verification after connecting the phone.

Summary: although not as powerful as O365 MFA, but can add a phone authentication function, compared to a simple password is still much more secure, in the face of the current situation that everyone's password awareness is not strong, it is still very effective!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.