Feature Proposal: Add IP to whitelist after authenticating

[bushelofsilicon]

I think a feature to remove the OTP authentication based off of IP would be useful to allow the option for users not to have to use a one time password every time.

How I imagine it working is that there would be two IP lists that both create the whitelist. The first list would be populated manually with known IPs that are trusted. The second list would get populated automatically by adding the IP used to connect when authentication is successful. Entries in this second list would then get cleared periodically. (so if someone connects from somewhere like a hotel, that IP isn't trusted forever)

[multiOTP]

Hello, The idea is pretty nice, but it's not obvious to detect the public IP address of an RDP connection. Any suggestion (like a C++ implementation of a Public IP RDP detection) welcome ;-) Furthermore, concerning security, if somebody install a keylogger (http://www.keelog.com/) on your machine, your 2FA will be disabled after your login and somebody (in the same hotel) can directly connect remotely with your stolen password without 2FA :-( Some ideas, but not 100% reliable, in particular if used on a TS with multiple connections : https://social.technet.microsoft.com/Forums/en-US/5e12c0a0-f1cd-4730-a71c-e6200dd4ab28/get-public-ip-adress-in-a-terminal-sever-session?forum=winserverTS

[ipvadimmironov]

When user logged in (with NLA, before cred providers) event is occurred in event viewer with ip and username. We can then run task on this event and store this data in registry(which is available through c++). So we will have ip and can skip otp check if whitelisted. But it will not work when several users simultaneously logging in. It will work if we can have NLA username inside c++ sub, so we can distinguish login session. So there is a question : can we have username? In arcadejust version I've tried to make work setSerialization sub to receive username. It seems I've got it in rgb variable but when I tried to read it - I've got access violation error.

[multiOTP]

Hello, We are either not able to retrieve the NLA username yet. Regards,

[csc-solution]

Hello,

is there a possibility to disable otp for a specific ip range? It is useful, if a connection was established from the local lan not from wan.

Thanks.

kind regards Tom

[arcadejust]

There is no (known to me) API call that could query the context of the logon attempt in terms of RDP connection property. I wrote this simple IP check with the assumption that there is currently only one connection on RDP port. I would not recommend this to be anything but the debug functionality especially not a security feature. Also I've never succeeded in reading credentials from the NLA - i think that's a M$ "security feature".