33
Strong Authentication to any Application Using SecureLogin and NMAS TM Scott Kiester and John Jolly Software Engineer Novell, Inc.
| Date post: | 14-Dec-2015 |
| Category: |
Documents |
| Upload: | eleanore-gardner |
| View: | 217 times |
| Download: | 0 times |
Strong Authentication to any Application Using SecureLogin and NMASTM
Scott Kiester and John JollySoftware EngineerNovell, Inc.
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
What we'll cover
✔ SecureLogin and NMAS Basics✔ LDAP Authentication✔ Using Biometric Devices✔ SecureWorkstation✔ Citrix Integration✔ Establishing Password Policies✔ Using Scripts for Advanced Authentication✔ Questions and Answers
© March 9, 2004 Novell Inc.5
SecureLogin and NMAS Basics
What is SecureLogin?• Provides Single Sign-On
Capabilities• Machine-Local and
Network Cache Storage• Administrative Password
Control
What is NMAS (Novell Modular Authentication Service)?•Allows Authentication Beyond Username/Password
– Provides Interface for Third-Party Authentication Products
– Improves Security Through Multiple Authentication Factors
© March 9, 2004 Novell Inc.6
LDAP Authentication
Why LDAP?• Open Standard Supported
by eDirectory• NMAS Provides
Authentication Via LDAP
Features• NMAS Authentication• WinNT GINA Login• Contextless User Search• SecureLogin Integration• Citrix Support
© March 9, 2004 Novell Inc.7
Using Biometric Devices
•Requirements• NMAS must be installed.• LDAPAuth must be used.
With NMAS on the server and methods on the client that complete sequences on the server, NMAS will work.
•All NMAS communications done via secure LDAP port.
•No Novell Client32 Needed!
© March 9, 2004 Novell Inc.8
Secure Workstation
What is SecureWorkstation?• Service that runs on Windows 2000 and Windows
XP• “Locks down” the workstation when the user
leaves• Helps prevent unauthorized access to
applications• Quickly switch between users on the same
workstation
© March 9, 2004 Novell Inc.9
Secure Workstation Events
Events that Secure Workstation detects:• User inactivity timeout• Removal of an authentication device (Smart Card, Proximity
Card, etc.)• Network Logout Event (Client32 or LDAP)
– Secure Workstation detects when the user has been logged out of the network
• Manual Lock Event– User clicks the “Logout” button on the Secure
Workstation Quick Login/Logout Interface– Provides a quick logout when no authentication devices
have been deployed
© March 9, 2004 Novell Inc.10
Secure Workstation Actions
Actions taken by Secure Workstation when an event is detected:• Lock the Workstation• Log out of the Workstation (Log out of Windows)• Log out of the Network (Client32 or LDAP)• Close Programs• Log out of the Network and Close Programs
© March 9, 2004 Novell Inc.11
Secure Workstation Policy
The policy tells Secure Workstation which action to take when it detects an event
• Two actions are associated with each event
– Action for the local console session
– Action for remote Citrix/Terminal Services clients
• Secure Workstation cannot lock the workstation in a remote session, so it will disconnect the session instead
© March 9, 2004 Novell Inc.12
Policy Configuration
• Use the “Secure Workstation Policy Editor” to configure a policy for the workstation.
• The policy editor can be found in the Novell SecureLogin program group.
© March 9, 2004 Novell Inc.13
Inactivity Timeout Event
• Specify the duration of user inactivity before an inactivity timeout event is triggered
• Warn the user a few seconds before the event is triggered
– A dialog will be displayed
– A wav file and avi file may be played
© March 9, 2004 Novell Inc.14
Device Removal Event
• Specify which devices must be present
• A device removal event will be triggered when one of the devices is removed
© March 9, 2004 Novell Inc.15
Program List
• Used with “Close All Programs” action
• Environment variables may be used
© March 9, 2004 Novell Inc.16
Post-Policy Command
• A command that will be executed after the action has been taken
• May be used to display a login dialog for the next user
– Use loginw32.exe for Client32– Use nldaplgn.exe for LDAP
Auth
© March 9, 2004 Novell Inc.17
Secure Workstation Network Policy
The Network Policy is a Secure Workstation Policy that is stored in eDirectory and configured using ConsoleOne.
• The Network Policy contains the same settings as the Local Policy
• An NMAS Post-Login Method delivers the policy to the workstation
• A different policy may be configured for each NMAS Login Sequence that contains the Secure Workstation Post-Login Method
– Use NMAS to set login sequence restrictions– Use NMAS to assign a default login sequence
© March 9, 2004 Novell Inc.18
Secure Workstation Effective Policy
The Effective Policy is the policy that Secure Workstation enforces.
• The Effective Policy is created by combining the Local Policy with the Network Policy
– The most secure settings from each policy are used
• If either the Network Policy or the Local Policy is inactive, then the Effective Policy will be a copy of the active policy
• If both the Network Policy and the Local Policy are inactive, then the Effective Policy will also be inactive
– Secure Workstation will not do anything when the Effective Policy is inactive
© March 9, 2004 Novell Inc.19
Viewing the Effective Policy
• Use the “View Effective Policy” button to view the settings in the Effective Policy
• The Effective Policy for the current Citrix/Terminal Services session will be displayed
© March 9, 2004 Novell Inc.20
Why Combine Policies?
Meet the minimum security requirements of both the user and the workstation.
Example: A doctor may not need an inactivity timeout when using the workstation in his office, but should have one when using a workstation in a public area.
• De-active the Inactivity Timeout Event in the Network Policy for the doctor
• Activate the Inactivity Timeout Event in the Local Policy on workstations in public areas
© March 9, 2004 Novell Inc.21
The Quick Login/Logout Interface
• Provides fast and convient way for users to lock the workstation or trigger a Manual Lock Event
• The “Lock Workstation” button locks the workstation
• The “Logout” button is bound to the Manual Lock Event in the Effective Policy
© March 9, 2004 Novell Inc.22
Quick Login/Logout Interface
Customize the Quick Login/Logout Interface using settings in the registry.
See TID 10087273 for more information.
© March 9, 2004 Novell Inc.23
Citrix Integration - Today
• Most NMAS methods that require an authentication device, such as a smart card or fingerprint reader, will not work
• Secure Workstation will not detect device removal events from most devices
ICA Client Citrix Server
Proximity Card
FingerprintReader
Smart Card SecureWorkstation
NMAS
ICA Protocol
© March 9, 2004 Novell Inc.24
Citrix Integration – Virtual Channels
NMAS and Secure Workstation will use a virtual channel to communicate with authentication devices.
• Same user experience with a Citrix Client as when logged on locally
• Available in an upcoming release of SecureLogin• Will require a Citrix ICA 6.0 or later client (Windows Terminal
Services Clients not supported in this release)• The following components will use virtual channels:
– NMAS
– Secure Workstation
– pcProx Proximity Cards (software is provided with SecureLogin)
© March 9, 2004 Novell Inc.25
Citrix Integration – The Solution
ICA ProtocolICA Client Citrix Server
Proximity Card
FingerprintReader
Smart CardSecure Workstation
NMAS
Virtual Channel
© March 9, 2004 Novell Inc.26
Citrix Integration - pcProx
The pcProx method uses a virtual channel to scan the card.
User identification over the virtual channel work with both Client32 and LDAP Auth
© March 9, 2004 Novell Inc.27
Citrix Integration - NMAS
NMAS Authentication will be redirected over the virtual channel.
• NMAS methods execute on the ICA client, where the authentication devices are
• NMAS calls SecureLogin to redirect the authentication– An NMAS 2.3 client is required– An NMAS 2.3 server is required if the user is logging in
through Client32– Client32 is not required on the client, even if users will be
logging in through Client32 on the Citrix server
© March 9, 2004 Novell Inc.28
Citrix Integration – NMAS
ICA ProtocolICA Client Citrix Server
Client32 / LDAP Auth
NMAS Client
Virtual Channel
Proximity Card
FingerprintReader
Smart Card
SecureLogin
SecureLogin
Login ClientMethod
NMAS Client
eDirectory Server
NMAS Server
Login ServerMethod
NCP/LDAP
© March 9, 2004 Novell Inc.29
Citrix Integration – Secure Workstation
Secure Workstation uses the virtual channel to detect device removal events.
• Each device that integrates with Secure Workstation must provide a module that reports device removal events
– Vendor-provided modules will execute on the ICA client, instead of the Citrix server
ICA ProtocolICA Client Citrix Server
Proximity Card
Secure Workstation
Virtual Channel
Smart Card
Secure Workstation
© March 9, 2004 Novell Inc.30
Establishing Password Policies
•Create a Password Policy• Admin Console• Local Login Manager
•In the script:• Use RestrictVariable• ChangePassword will
enforce policy– Even more secure,
use Random modifier on ChangePassword command.
© March 9, 2004 Novell Inc.31
Using Scripts for Advanced Auth
•Most Applications Require a Username/Password
• Not the most secure method of authentication
•SecureLogin with NMAS can improve the authentication security of these programs
• Use the AAVerify script command to call NMAS
• Autogenerate a random password after each successful authentication
© March 9, 2004 Novell Inc.33
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
