Two factor what???
January 9, 2011 10:56 AM Subscribe
OK, System Admins, need your help! Can you give me a basic, high level, overview of how you integrate two-factor authentication into a Windows 2008 AD network where we currently only use a username and password? And then if you can some "nitty gritty" details of how it's done that would be great. See explanation...
15 Windows 2008 DC servers at multiple locations across U.S., connected through T1's, about 550 XP clients ( I know, I know....thinking of going to Win7 this year), most of which are Dell Latitiudes E6410 laptops that use a Cisco SSL VPN client to login remotely. I'm being asked to spearhead this project of going from a single username and password security model to a "two factor authentication" model. I'm thinking a "token" card, like an RSA SecuriID card or something. I'm usually a desktop support guy, so this is a little overwhelming. But they've asked me to give it a shot.....Need your help MeFites!! Thanks in advance
15 Windows 2008 DC servers at multiple locations across U.S., connected through T1's, about 550 XP clients ( I know, I know....thinking of going to Win7 this year), most of which are Dell Latitiudes E6410 laptops that use a Cisco SSL VPN client to login remotely. I'm being asked to spearhead this project of going from a single username and password security model to a "two factor authentication" model. I'm thinking a "token" card, like an RSA SecuriID card or something. I'm usually a desktop support guy, so this is a little overwhelming. But they've asked me to give it a shot.....Need your help MeFites!! Thanks in advance
Agree with purephase that this should be overwhelming and not undertaken without some serious thought. This isn't something that you can just plugin, turn on and be set. Introducing this kind of technology will require changing your onboarding processes, your help desk processes and will require end user education.
Good luck...
posted by mmascolino at 11:47 AM on January 9, 2011
Good luck...
posted by mmascolino at 11:47 AM on January 9, 2011
There's two ways you can implement the two-factor system - one is to use a physical token, i.e. smart card authentication, or you can issue personal digital certificates to individuals via your own certificate authority, plus the username/password combo.
Either is workable, and will improve your security. I can't advise on the smartcard approach, as it's generally vendor specific with regards implementation. Basically, you're likely going to want to talk to a third-party company, both for the supply of the hardware and the specific nitty-gritty of programming and issuing that applies to that particular hardware.
If you go with the issued certificate method, you're going to need to get comfy with running your own certificate authority server and getting appropriate signed certs for it, or distributing your own self-signed CA certificate, and how you're going to deploy those, ideally over a secure channel to your clients - intranet website, for example.
The best place to start looking into this in either case is probably L2TP/IPSec VPNs.
Secure roadwarrior authentication is not a particularly simple topic. There is a whole ton of material on VPNs on technet though. Given you're running XP clients, and 2008, probably best to concentrate on L2TP/IPSec, rather than SSP VPNs as the latter is not supported in XP.
posted by ArkhanJG at 12:23 PM on January 9, 2011
Either is workable, and will improve your security. I can't advise on the smartcard approach, as it's generally vendor specific with regards implementation. Basically, you're likely going to want to talk to a third-party company, both for the supply of the hardware and the specific nitty-gritty of programming and issuing that applies to that particular hardware.
If you go with the issued certificate method, you're going to need to get comfy with running your own certificate authority server and getting appropriate signed certs for it, or distributing your own self-signed CA certificate, and how you're going to deploy those, ideally over a secure channel to your clients - intranet website, for example.
The best place to start looking into this in either case is probably L2TP/IPSec VPNs.
Secure roadwarrior authentication is not a particularly simple topic. There is a whole ton of material on VPNs on technet though. Given you're running XP clients, and 2008, probably best to concentrate on L2TP/IPSec, rather than SSP VPNs as the latter is not supported in XP.
posted by ArkhanJG at 12:23 PM on January 9, 2011
BTW, two factor authentication just means you need two things to login with. Generally, it means something you have (i.e. smartcard with certificate onboard, or a company issued digital certificate installed in windows) and something you know, i.e. login and password.
posted by ArkhanJG at 12:32 PM on January 9, 2011
posted by ArkhanJG at 12:32 PM on January 9, 2011
Best answer: RSA has 2 token time-limited securid eval kits available either for free or for the price of shipping depending on how much your VAR likes you.
I agree with the above -- this is NOT something to slap together, but if you want to get your feet wet and see what's involved with installing the authentication manager components to see how they interface with each other you can do it with the eval.
posted by devbrain at 12:39 PM on January 9, 2011
I agree with the above -- this is NOT something to slap together, but if you want to get your feet wet and see what's involved with installing the authentication manager components to see how they interface with each other you can do it with the eval.
posted by devbrain at 12:39 PM on January 9, 2011
Consider if whole-drive encryption might fulfill the second factor requirement. Breach of either password alone would not let an attacker into the protected system. And it would be (to my way of thinking) would be easier to administer than dealing with the cost and hassle of distributing those security token things.
And frankly, more secure.
Actually, the Cisco VPN might count as a second factor already- to get to the protected network, one would have to have access to the config file, which contains some kind of certificate, right?
posted by gjc at 2:43 PM on January 9, 2011
And frankly, more secure.
Actually, the Cisco VPN might count as a second factor already- to get to the protected network, one would have to have access to the config file, which contains some kind of certificate, right?
posted by gjc at 2:43 PM on January 9, 2011
Best answer: Late to the party.
I agree this isn't something to slap together - what in IT is? But it's also not at all difficult - I did it in about two weeks of total time 6 months ago (win2k8R2, cisco ASA, RSA) for the same reason - secure two-factor for remote users. So I think the other responders are a little out of date or are tlaking about rolling their own custom solutions.
You already have win2k8 server and a cisco VPN solution. Add an RSA SecurID appliance and connect the pieces. Connect the appliance to your domain via LDAP to assign RSA tokens to user accounts. Then you configure the VPN device to authenticate to the RSA box. You can add multiple identity sources on every cisco vpn device I've used, so this won't impact current users. Once configured, when connecting via VPN instead of a password prompt users will be asked for the "token code" off the keyfob. Everything else in the domain still uses the user/pass combo.
Simple enough for a concept pilot. You can plan up-time and SSO and load balance scenarios once you start planning your production deployment.
posted by anti social order at 11:22 AM on January 10, 2011
I agree this isn't something to slap together - what in IT is? But it's also not at all difficult - I did it in about two weeks of total time 6 months ago (win2k8R2, cisco ASA, RSA) for the same reason - secure two-factor for remote users. So I think the other responders are a little out of date or are tlaking about rolling their own custom solutions.
You already have win2k8 server and a cisco VPN solution. Add an RSA SecurID appliance and connect the pieces. Connect the appliance to your domain via LDAP to assign RSA tokens to user accounts. Then you configure the VPN device to authenticate to the RSA box. You can add multiple identity sources on every cisco vpn device I've used, so this won't impact current users. Once configured, when connecting via VPN instead of a password prompt users will be asked for the "token code" off the keyfob. Everything else in the domain still uses the user/pass combo.
Simple enough for a concept pilot. You can plan up-time and SSO and load balance scenarios once you start planning your production deployment.
posted by anti social order at 11:22 AM on January 10, 2011
« Older How do I use awk inside my Automator workflow? | How to transfer music from my iPod to my PC? Newer »
This thread is closed to new comments.
This should be overwhelming. This is a fairly involved project and could be quite costly both from a software/hardware and support perspective. If you're thinking of going with a smartcard or any other physical token there is a logistics piece that you should start planning now. A lot of organizations are looking at smart phones to handle this as opposed to yet another physical medium.
Windows will not natively support this type of functionality. You'll need a middleware tier or cryptographic service provider (CSP). SafeNet is one example.
This will mean that you'll need to distribute software across the DC's (sometimes, this is not always the case) and workstations. You will most likely need something that will support your particular VPN solution depending on how it is currently setup for authentication (radius, ldap, kerberos etc.).
If you have access to Gartner or Forester, I would highly recommend browsing through some of their research material in this area. Gartner in particular has a magic quadrant approach to vendor evaluation which will identify the leaders in this space (as per Gartner's evaluation).
Once you have a few vendors, I would start contacting them.
posted by purephase at 11:24 AM on January 9, 2011 [1 favorite]