Properly securing your Mi-Token authentication server is critical, as it houses sensitive data like token seeds that could compromise your 2-factor authentication if accessed by unauthorized parties. Here are some key recommendations to harden your Mi-Token server:
1. Secure Domain Admin Accounts
Ensure any domain/enterprise admin accounts and Mi-Token admin accounts have very strong passwords (20+ characters, mix of letters, numbers, symbols). Consider requiring 2FA for admin logins as well.
2. Isolate the Mi-Token Server
Place the Mi-Token server on its own VLAN and restrict administrator access to it via firewall policies, IPsec tunnels, or 802.1x port authentication. This minimizes exposure.
3. Encrypt Server Backups
Any backups taken of the Mi-Token server should be encrypted and stored securely. Avoid storing backup media with the server. See the documentation for backup best practices.
4. Delete Token Seed Files After Import
After importing token seed files to initialize your token database, securely delete the original files received from Mi-Token. If you need to retain copies, encrypt them and store them separately from the server.
5. Apply Latest OS Security Patches
Keep the Windows Server OS up-to-date with the latest security patches from Microsoft. Avoid running Mi-Token on server OS versions that are no longer supported.
6. Follow Least Privilege Principle
When setting up Mi-Token security roles and permissions, follow the principle of least privilege. Only give admin permissions to those who absolutely need them. Restrict help desk users to the minimum permissions required.
7. Use Dedicated Service Accounts
Run the Mi-Token services under dedicated least-privileged service accounts instead of admin or system accounts. This limits the damage if a service is compromised.
8. Enable Windows Server Auditing
Turn on Windows security event auditing for the Mi-Token server so you have logs of all key actions and access attempts for incident response and forensics.
9. Physical Security
Don't neglect physical security for your Mi-Token server. It should be in a locked room or cage with access restricted to authorized personnel.
10. Stay Up-to-Date
Install new versions of the Mi-Token server components as they become available to ensure you have the latest security enhancements and fixes.
As a general principle, aim to secure your Mi-Token authentication server to the same level as you would a domain controller, as it is just as critical to the security of your environment. Consult Microsoft's server hardening guides for your OS version for additional guidance. With proper hardening, you can minimize the risk of your Mi-Token server being compromised.