A 30+ year old security problem solved

In many companies system administrators log on with a simple username and password. This is a big security risk. When the sysadmin's password leaks, all security is flawed. You could implement multifactor authentication but there are security concerns too because the sysadmin could logon from an untrusted computer. The best solution would be that the sysadmin can only do his admin tasks from a trusted computer.

Windows supports "Smartcard logon" which requires that the user inserts a smartcard in the smartcard reader of the computer. However, this method is not suitable for this purpose since the sysadmin can insert his smartcard into any computer with a smartcard reader and authenticate.

When a Virtual Smartcard is used, the sysadmin credentials are stored in the Trusted Platform Module. A TPM is a security chip that is soldered on the motherboard of the computer. Now the sysadmin can only logon to his own computer through Windows Smartcard Logon using a Virtual Smartcard.

Now comes the beauty: when the A.D. domain policy is set to logon only with a (virtual) smartcard, the sysadmin can logon only from a managed and trusted corporate computer!

This is how this works. The sysadmin must provide a PIN (or a password) to logon to his computer. The PIN is verified by the Windows Smartcard Logon against the TPM. When OK, Windows logs the sysadmin on to a domain controller.

The sysadmin will see this logon screen:

The Smartcard logon (right) is the only method that allows sysadmin tasks. The sysadmin's normal user tasks (e.g. email) can be done through a 'normal' user account (left).

Windows 8.1 and 10 have support for Virtual Smartcard but these methods are unmanaged. E.g.there is not central PIN recovery system.

Wave has a Virtual Smartcard solution that provides Virtual Smartcard support for Windows 7 (!), 8, 8.1 (and 10). This solution also provides central (and automated) Virtual Smartcard management and "Zero Knowledge" PIN recovery methods. In this case the helpdesk does not know or require any old or new PIN or password. A Challenge-Response method is used.

No comments :

Post a Comment

Real Time Web Analytics