Some components of IT environments are just too tough to move away from, even if there’s interest in moving in another direction. Windows File Sharing is one of them for some organizations.
I get it: product teams at my family business used nothing but shared folders for as long as anyone could recall. It’s difficult to migrate a large volume of files and rebuild NTFS permissions, or to overlook that you’ve invested in (and already paid for) a VPN solution. But there’s an easy solution for smaller teams that only have a few end users.
JumpCloud’s cloud directory can manage your existing file shares in combination with Integrated Windows authentication. The directory serves as the steel thread that binds systems together, maintaining the file sharing workflow using NTLM locally, while enabling highly secure Single Sign On (SSO) with MFA everywhere else. This approach provides full, supported Windows compatibility with JumpCloud’s login authentication and management.
Using NTLM as the path forward may raise some eyebrows, so this article will discuss what NTLM is, how it will work in this scenario, and how it can be used as securely as possible. In this associated walkthrough, you’ll learn how you can open access to testing out JumpCloud as your directory provider while maintaining workflows that are an important part of how your organization works.
Using Integrated Windows Authentication
NTMLv2 is a Windows native challenge response protocol that continues to be used as a fallback on systems when Kerberos is unavailable (or misconfigured). The protocol makes it possible to authenticate local logins using non-domain controllers. It’s supported by Microsoft and should be:
- Hardened with a configuration (pushed via JumpCloud)
- Monitored with JumpCloud’s Directory Insights
- Secured through the use of advanced EDR solutions to detect any known malicious behaviors
This way risks associated with NTLM are minimized while any unwanted domain controllers can be systematically retired.
The configuration that we’re outlining has all users logged into Windows via JumpCloud, which can be setup with multi-factor authentication and conditional access policies that ensure that Windows environments are up-to-date and fully patched. Those same JumpCloud credentials will be used for secure SSO into your organization’s cloud-services, providing for smoother on/off boarding, zero trust access policies via Conditional Access, and added convenience for your end users. We’ve lab tested it in cooperation with a partner who pioneered this workflow.
You may also strongly consider migrating your most confidential files to a cloud-based file-sharing service, backed by the security of JumpCloud’s SSO, as another technical control to reduce the risk of data exfiltration. Any project involving shared data should begin with data classification and the review of whether least privilege access rights and principles are being followed.
Begin by following this tutorial to get started with domainless Windows file sharing, with all of the prerequisite NTLM security steps outlined. Get started by taking a moment to sign up for JumpCloud, which provides full access for 10 users or 10 devices. You’ll also receive complimentary premium anytime support during the initial 10 days of your account’s creation.
Special thanks to Idan Mashaal at Plus500