Details
ESET Secure Authentication Overview
ESET Secure Authentication (ESA) adds two-factor authentication (2FA) to VPNs, RADIUS devices, Remote Desktop Protocol and various web applications including Outlook Web Access. 2FA is enforced through one-time passwords (OTPs) that can be delivered via SMS, a mobile application, or hardware tokens (hard tokens).
Solution
Active Directory Schema extension in ESET Secure Authentication
ESET Secure Authentication (ESA) extends the Active Directory Schema. While some concern has been expressed that extending the Active Directory (AD) Schema can break Active Directory or cause other issues, ESA has been specifically designed to align with Microsoft best practices for extension of the AD Schema. These best practices have been documented in the following Microsoft Developer Network article:
Extending the Active Directory Schema
Microsoft best practices for extension of the AD observed by ESA include:
- Only define globally interesting, relatively static information in the schema
- Objects defined in the schema should not be created very often or modified frequently
- Objects should have a long life
- Use twice the maximum replication frequency when determining longevity or frequency
- Test the application in a private forest and with other applications before deploying
- The schema upgrade must be separate from the application installation
ESA complies with all of the above Microsoft recommendations.
Schema Extensions that ship with ESA
Microsoft provides a number of additional guidelines for schema extensions that ship with applications (such as ESA). ESA is designed to comply with these suggestions, which include the following:
- The application and schema extensions were tested on a local network
- A separate install has been created for ESA
- The LDIF files for the schema installation are created
- The application uses LDIFDE.exe to load the LDIF files
- The application uses a registered prefix and base OID for each class and attribute
- The application has a unique schemaIDGuid for each class and attribute
Considering that ESA follows all the official guidelines published by Microsoft with regards to extending Active Directory Schemas, there is no cause for concern about the safety/stability of such extensions performed by ESA upon installation.