Reply to post: Re: SMB

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Lee D


How would you get there without a) a RADIUS-authorised network port / computer, b) running network health reporting where Windows has to certify that it's online and clean and policy-compliant, c) your users would then have to log in via 2FA, d) only such users would be on that VLAN, able to talk to that server, etc.?

SMB is largely an exposed protocol. You don't 2FA that, you can't, not securely at all. You secure access TO the network that would allow you to see it. It's like asking whether WSUS requires 2FA... it shouldn't be exposed to people who aren't already authenticated properly.

P.S. multiOTP is a RADIUS server. Configured right your machines could use it for network access and you'd be stuck on an unprivileged VLAN without it.

But in reality for most setups, the 2FA here is "you're physically connected to the internal network and/or you've logged in over the VPN". Not "does SMB support OTP?".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon