PCI 2FA Requirements

As of the 1st February 2018 the new implementation of PCI DSS came into play, version 3.2 has a number of major additions for a full list of all the changes take a look at the official site here.  In my opinion one of the most important additions within 3.2 is requirement 8.3, this is the addition of multi factor authentication for administrators.  If your unsure about what this is then have a read of the official document from the Security Standards Council here.

A quick summary from the official wording is “New Requirement 8.3.2 incorporates the former Requirement 8.3, and addresses multi-factor authentication for all personnel with remote access to the CDE. This requirement is intended to apply to all personnel – including general users, administrators and vendors (for support and maintenance) with remote access to the network – where that remote access could lead to access to the CDE.” This basically means if you Remote Desktop to any server and log on as a domain admin you basically need multi factor authentication.

With the above being the driving factor of this post, this resulted in me doing some investigation work into how this would be implemented, and although there are many pieces of software out there that will do the job i settled on Vasco Digipass.  Now the main issue with this software is to say the setup guide was “unhelpful” was a little of an understatement, so as a result i have decided to put together a post to help as a refresher and also help anyone who hits similar problems as i had.  To give a brief overview of the software, ill break down what it does and how it does it, there are a number of different pieces in the Vasco Digipass suit, the overall main one being the authentication server that everything reports back to.  This server is basically the management platform offering secure and centralized access.

The second bit of software is the Digipass Authentication for Windows, this is a small bit of software that sits on any server you need to log into, and basically reports back to the main server for authentication, using both parts you authenticate with the main server using a OTA (one time password) token, this can be either a hardware fob with randomly generated number on it, or a mobile phone app which displays numbers on a screen that changes every 10 or so seconds.

Now the formalities are out the way, lets get on with the installation and setup of this, the best place to start really is with the authentication server.  The hardware requirements are relatively low but just note that 4GB of memory is required as a minimum, and only Server 2008 R2 with SP1 and above are supported, there is however no limit on hosting this software on virtual or physical servers, i am personally hosting on a Hyper V infrastructure.

Once you have your server built with the operating system fully up to date, run the authentication server installation setup using a basic installation, this will install the following

The Authentication Server Setup Utility automatically launches the Configuration Wizard after installing all the necessary components in Basic Mode. In this mode, the Configuration Wizard uses default values for most settings.  The majority of the configuration wizard options are pretty much self 

explanatory, briefly them being the IP address of the server your installing on, the purchased license key, the server functionality, your admin details, SSL Cert if required, RADIUS Config.

Once this has run though and installed you have a up and running Digipass Authentication Server.

In my next post we will cover the setup and install of the Windows authentication logon on the servers, giving us the ability to use multi factor authentication with the main server.