The Challenge
Protecting Jump Server Connections
As with many financial institutions, this leading commercial bank based in Hong Kong uses jump servers to separate networks with different security requirements. Acting as a stepping point for administrators, it isolates critical banking applications from potentially infected workstations.
Logging in with corporate Active Directory (AD) credentials, an administrator connects to a jump server via Microsoft’s Remote Desktop Services. The AD accounts are configured to allow or deny access.
However, the theft, compromise and misuse of credentials remain cornerstones of targeted attacks and fraud. AD accounts are subject to brute force attacks, where possible passwords are tried until the password is found, or dictionary attacks, where words and word combinations are tested as possible passwords.
For this reason, many cybersecurity standards mention the need to add multi-factor authentication (MFA) to prevent unauthorized access or operations. By including an additional security credential, such as a temporary one-time password provided by a token or authentication application, AD credentials are of no value unless the other factor(s) used for authentication are acquired with it.
The Solution
Adding MFA with Hardware Tokens
The IT Management Team wanted a multi-factor authentication solution to secure access to jump servers and meet local audit requirements. The technology had to be provided by a system that was hosted locally (on premise) and worked with corporate AD credentials. The Team also required MFA for direct access to other terminal servers, for some specific workstations used for privileged access, and to add MFA to better protect VPN connections.
UserLock has proven to meet all these requirements. With secure on premise hosting that needs no internet connection, it forces an additional proof of authentication to confirm user identity. It also supports several second-factor authentication options, including authenticator applications and hardware-based tokens such as YubiKey and Token2.
The Benefits
Easily scale MFA to protect key bank assets
With the aim of further improving the banking sector’s cyber resilience, The Hong Kong Monetary Authority (HKMA) requires all financial intuitions to complete C-RAF, a risk-based framework for authorized institutions to assess their own risk profiles and benchmark the level of defense and resilience that would be required to accord appropriate protection against cyber-attacks.
With UserLock, the bank are able to strengthen user access to critical banking applications and help meet C-RAF requirements.
- Increased security
The introduction of multifactor authentication on jump servers, terminal servers and individual workstations significantly reduces the consequences of compromised credentials.
- Easy to adopt
Simple deployment and centralized management ensured a painless setup and on-boarding experience. Real-time monitoring gives administrators an instant overview of all user session activities, making it easy to check who is connected from where, since when.
- Cost effective
The bank now has a secure and cost-effective solution for control and visibility over user access. Working right alongside Active Directory it provides a robust MFA solution that can be enabled on all types of connections: Windows logon, RDP, RD Gateway, VPN and IIS, making further implementation simple.