|
I think you might be better off going down the path of implementing smart cards
|
# ? Apr 11, 2018 00:08 |
|
|
# ? May 19, 2024 15:33 |
|
What's crazy to me is what you're proposing. Is the badging system requirement set in stone? Why not use biometrics or some other real 2FA? Is this on a Windows 10 client? This seems like a much better path - https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification I have so many questions. Does this person reliably badge out? Why isn't this person who is using credentials that aren't theirs fired? Why isn't the person sharing their credentials fired? Why haven't the credentials been changed?
|
# ? Apr 11, 2018 00:12 |
|
Thanks Ants posted:I think you might be better off going down the path of implementing smart cards We really can't. The cart is coming before the horse, so to speak. Our software MUST be involved in the decision to allow somebody to log in since this is for a customer that uses said software. Internet Explorer posted:What's crazy to me is what you're proposing. The fact that there are better ways to do it is irrelevant because the solution is dictated by the customer - we're just the shmucks that have to make it work. Sorry for not disclosing that at the beginning. But to address your concerns, you NEED to badge out to leave. This is a high-security building and the only other way out is to set off the fire alarms. KillHour fucked around with this message at 00:15 on Apr 11, 2018 |
# ? Apr 11, 2018 00:12 |
|
KillHour posted:We really can't. The cart is coming before the horse, so to speak. Our software MUST be involved in the decision to allow somebody to log in since this is for a customer that uses said software.
|
# ? Apr 11, 2018 00:14 |
|
anthonypants posted:Better change your name to BillHour because you're gonna be busy I'm not implementing this. I just need to give our sales guys a "this is technically possible and here is how it's done" and they can whip our devs bloody to make it happen.
|
# ? Apr 11, 2018 00:15 |
|
anthonypants posted:Better change your name to BillHour because you're gonna be busy You're better off having some Rube Goldberg setup where your security software can lock/unlock AD accounts as people enter and leave the building than trying to prevent a Windows login from occurring without wanting to deploy any software on the device. This isn't the 2FA providers for RADIUS where you can just set a ~30s timeout on the request to give someone enough time to respond to a push notification. Thanks Ants fucked around with this message at 00:19 on Apr 11, 2018 |
# ? Apr 11, 2018 00:16 |
|
Also, the guy who gave his credentials out did it so he could steal ~$500k from the customer and have the excuse of "It wasn't me. I wasn't even in the building!" vv I wish I wasn't salary so bad right now
|
# ? Apr 11, 2018 00:17 |
|
KillHour posted:I'm not implementing this. I just need to give our sales guys a "this is technically possible and here is how it's done" and they can whip our devs bloody to make it happen.
|
# ? Apr 11, 2018 00:18 |
|
The client is dumb and someone needs to tell them that. "super secure facility" that doesn't use 2FA and has employees knowingly sharing credentials. My recommendation for this dumbness is when he badges in have the badging system kick off a script to set the AD property "Log on to" to his workstation. When he badges out, have the badging system kick off a script to log him out and remove the "Log on to" entry. I feel dirty.
|
# ? Apr 11, 2018 00:23 |
|
KillHour posted:Also, the guy who gave his credentials out did it so he could steal ~$500k from the customer and have the excuse of "It wasn't me. I wasn't even in the building!" That's why you have sharing credentials be a firing offense. Also how does 500k get moved around without a second person authorizing? All of this is dumb as hell. [Edit: if this company is supposed to be SOX compliant then they are failing miserably]
|
# ? Apr 11, 2018 00:24 |
|
Do you have a way to prevent someone borrowing somebody else's badge?
|
# ? Apr 11, 2018 00:25 |
|
Internet Explorer posted:That's why you have sharing credentials be a firing offense. Also how does 500k get moved around without a second person authorizing? All of this is dumb as hell. Someone obviously noticed and the guy got fired. The problem is the customer also got into a poo poo ton of trouble with regulatory agencies for letting it happen. On its face, it's not an insane request. Even if they used 2FA, the guy could have given the other person the OTP over SMS or something. They want to make sure that you can't log into the workstation with an account unless that account holder is physically present. Just because there isn't a sane way to implement it doesn't mean there's no value in that.
|
# ? Apr 11, 2018 00:27 |
|
Thanks Ants posted:Do you have a way to prevent someone borrowing somebody else's badge? Biometric 2FA on the doors. Unless you want to loan somebody your eyeball...
|
# ? Apr 11, 2018 00:27 |
|
Internet Explorer posted:The client is dumb and someone needs to tell them that. This is what I was thinking. That or roll your own credential provider that somehow ties into the badge system, but even that isn’t foolproof All options suck Comedy option post this on Reddit and see what those people come up with
|
# ? Apr 11, 2018 00:31 |
|
I just checked and the customer does use 2FA. Person B borrowed person A's hard token, logged into person A's workstation on a day person A called in sick and processed a fraudulent check for $Texas that went to some shell LLC in the Caymans. I have no idea how they figured out who person B was, but they're both in jail now and "this can't happen again."
|
# ? Apr 11, 2018 00:35 |
|
KillHour posted:I just checked and the customer does use 2FA. Person B borrowed person A's hard token, logged into person A's workstation on a day person A called in sick and processed a fraudulent check for $Texas that went to some shell LLC in the Caymans. The solution is an accounting control that requires multiple people to sign off on payments that large. It sounds like they already have the expected technical controls in place.
|
# ? Apr 11, 2018 00:37 |
|
The Fool posted:The solution is an accounting control that requires multiple people to sign off on payments that large. It sounds like they already have the expected technical controls in place. They want this particular additional one and we want their money. I'm in the business of selling software, not playing a company's personal CISSP.
|
# ? Apr 11, 2018 00:39 |
|
KillHour posted:Someone obviously noticed and the guy got fired. The problem is the customer also got into a poo poo ton of trouble with regulatory agencies for letting it happen. There is. Biometrics at the workstation, along with password and 2FA.
|
# ? Apr 11, 2018 00:43 |
|
Internet Explorer posted:There is. Biometrics at the workstation, along with password and 2FA. Sorry I meant to say this: quote:Just because there isn't a sane way to implement it that makes my company money, doesn't mean there's no value to be extracted from the customer in doing it. Also those little fingerprint readers kind of suck since they just store your AD credential on them. KillHour fucked around with this message at 00:46 on Apr 11, 2018 |
# ? Apr 11, 2018 00:44 |
|
Internet Explorer posted:There is. Biometrics at the workstation, along with password and 2FA.
|
# ? Apr 11, 2018 00:47 |
|
Ah, so I have met my mortal enemy.
|
# ? Apr 11, 2018 00:47 |
|
anthonypants posted:Even if you didn't want to use biometrics, smart cards solved this problem over a decade ago. Unless you let someone borrow your smart card just like you let them borrow your token. Internet Explorer posted:Ah, so I have met my mortal enemy. I'm taking money from a bank. That's like the most Socialist thing ever.
|
# ? Apr 11, 2018 00:47 |
|
I think I'm going to push for them to go with a custom credential provider. It's the way Microsoft seems to want you to do it and the dev work involved doesn't seem insane. Ultimately, these guys want technical controls beyond 2FA and I just want the best way to give it to them. I'm sure I can twist their arm into adding it to their "super special high-value check processing systems" and maybe recommend they have somebody physically there watching things. Also, I don't want to give away the customer for NDA reasons, but it's a bank in a destitute 3rd world country so things are a little bit rear end backwards there sometimes. Edit: I forgot to thank everyone. Thank you, seriously. I would have beaten my head on a wall for a week before I realized there was no way to do it how I wanted. KillHour fucked around with this message at 01:09 on Apr 11, 2018 |
# ? Apr 11, 2018 01:03 |
|
Windows Hello biometrics aren't like the biometrics of old where it was poorly integrated into Windows, but if it's a hot desking environment then yeah it's not ideal. Is there a way for smartcard login to look for a flag set on the card that is written upon a successful badge-in?
|
# ? Apr 11, 2018 01:14 |
|
Thanks Ants posted:Is there a way for smartcard login to look for a flag set on the card that is written upon a successful badge-in? If there is, it would involve the customer completely replacing their access control readers and cards with something that supports that. Other than dev time and the fact that my customer will have to just deal with the minor inconvenience, is there a good reason NOT to use a custom credential provider?
|
# ? Apr 11, 2018 01:22 |
|
A user at my company somehow managed to find their way to c:\users\default when they were saving documents. As a result, those documents were copied in to the profile of a whole bunch of users when they logged in to the PC (this was a computer in a conference room). Now we're looking at ways to prevent this from recurring. Any idea what happens if I start loving around with permissions on that directory, like preventing write access to it?
|
# ? Apr 11, 2018 01:40 |
|
capitalcomma posted:A user at my company somehow managed to find their way to c:\users\default when they were saving documents. As a result, those documents were copied in to the profile of a whole bunch of users when they logged in to the PC (this was a computer in a conference room).
|
# ? Apr 11, 2018 01:44 |
|
anthonypants posted:You need admin privileges to write to C:\users\default anyway, so, poo poo, that kind of confirms my suspicion that some program changed the permissions. Something added CREATOR OWNER to the ACLs on all of the subfolders. Guess I get to track the problem app down!
|
# ? Apr 11, 2018 01:56 |
|
Creator Owner is not a problem though, the user shouln't be either.
|
# ? Apr 11, 2018 15:17 |
|
Potato Salad posted:The insistence that everything should go on the SP platform is going to kill some of their products
|
# ? Apr 11, 2018 15:32 |
|
KillHour posted:I'm not implementing this. I just need to give our sales guys a "this is technically possible and here is how it's done" and they can whip our devs bloody to make it happen. I like how you are deciding if it can happen and not the devs. That makes sense.
|
# ? Apr 11, 2018 16:00 |
|
KillHour posted:I'm taking money from a bank. That's like the most Socialist thing ever. Not talking about political stances, more along the lines of "I'm not their CISSP" (and therefore security is not my problem) and, paraphrasing here, "doing it the right way means my company not making money, so...." Sickening posted:I like how you are deciding if it can happen and not the devs. That makes sense. I was going to make the same point yesterday but the whole situation sounds bad enough that it really seemed like overkill.
|
# ? Apr 11, 2018 16:34 |
|
The Fool posted:Every on-prem MFA solution I've ever looked at requires installing an agent on every workstation you are going to protect. Modular credential providers have been a thing in Windows since Vista, thankfully. No more gina.dll swaps and subsequent incompatibility nightmares
|
# ? Apr 11, 2018 17:27 |
|
capitalcomma posted:poo poo, that kind of confirms my suspicion that some program changed the permissions. Something added CREATOR OWNER to the ACLs on all of the subfolders. It was a known issue in older builds of Win10 that the default folder had creator owner write permissions and MS quietly fixed it in one of the builds. I believe if you're doing in-place upgrades the problem persisted and only got fixed with manual intervention of a clean disk wipe.
|
# ? Apr 11, 2018 17:31 |
|
Hello thread. Anyone here using KMS activation for windows and office? I've been thrown into a project to set up KMS for win7/office2010 in a brand new domain (on a server running 2012 R2), and though I've read everything I can find about how it works, I'd like it if someone with actual experience could confirm these three things for me: 1) The keys you can get from the VLSC depend on the licence agreement you have with Microsoft. -and- If you get a key for, say, Windows 8, and install it in a KMS running on a Windows 8-or-newer box, then it will activate all client OSes up to and including Windows 8, right? That is, a KMS host key is an umbrella of sorts? 2) Following the above example, if you later decide to put Windows 10 into your environment then you get licensed and now have a Windows 10 key available. So you just install that over the top of the old key and it continues to activate all older client OSes too, right? That is, you never install more than one OS key into your KMS at a time. 3) Office activation keys can be installed through slmgr or through ospp.vbs, but they store the credentials in the same place so you can use either to manipulate/install the office keys, right? Sorry if these are basic questions but I've found that Microsoft has a couple of gaps in the content they've published so I can't find reliable answers post-Server 2008.
|
# ? Apr 12, 2018 01:14 |
|
Windows 7/Office 2010? Windows 7 goes end of life in 20 months, you shouldn't be deploying new environments with it. Same for 2010 office. I realize sometimes your stuck with what you have though. Setup a KMS server, install the KMS server keys on the server, make sure it registers the _vlmcs SRV records in DNS, and everything should take care of itself. You can have different KMS keys installed, you don't want to, but you can. Generally the current version key will activate prior versions as well.
|
# ? Apr 12, 2018 01:23 |
|
Internet Explorer posted:Not talking about political stances, more along the lines of "I'm not their CISSP" (and therefore security is not my problem) and, paraphrasing here, "doing it the right way means my company not making money, so...." They already do 2FA though. This is something their security people want done.
|
# ? Apr 12, 2018 02:01 |
|
KillHour posted:They already do 2FA though. This is something their security people want done. I feel like we've been over this. They already have 2FA, but they want to make sure the person is actually in the building (really that the person actually is the person who is logging in). This is what biometrics is for. They already have biometrics to get into the building, but integrating that is a clustrerfuck and putting biometric locks on the workstations themselves is the proper solution. But that won't make you money, so ¯\_(ツ)_/¯
|
# ? Apr 12, 2018 02:14 |
|
skipdogg posted:Windows 7/Office 2010? Windows 7 goes end of life in 20 months, you shouldn't be deploying new environments with it. And same for 2008R2! Of which we have about 70 left in our environment, all vmxnet3 drivers. I was able to replicate the vmxnet3 issue with the 2018-04 updates, even though Microsoft supposedly fixed it. It's the same one that got introduced with 2018-03. The real fix is running the vbscript prior to patch install or immediately prior to reboot. Since we don't have SCCM for our servers, I whipped up some powershell to kick off the vbscript fix for all of them. Hopefully this is helpful for anyone who has held off on 2018-03 due to this issue. Create the vbscript from https://support.microsoft.com/en-us/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2 and save it as KB3125574Fix.vbs. Get the list of computers. Review as appropriate and remove any that don't have vmxnet3. In my case, I know I can make that assumption. code:
code:
devmd01 fucked around with this message at 02:42 on Apr 12, 2018 |
# ? Apr 12, 2018 02:38 |
|
|
# ? May 19, 2024 15:33 |
|
skipdogg posted:Windows 7/Office 2010? Windows 7 goes end of life in 20 months, you shouldn't be deploying new environments with it. Same for 2010 office. I realize sometimes your stuck with what you have though. Eh, my role is simply "get KMS up and running" so I don't have to worry about their software EOL for now. I should have said that it's a new domain because they're migrating from their old parent company's one. PCs and all that are the same. I think I found an answer to (3) and the answer is yes, they're basically two different interfaces to the same key store. So I can stick with slmgr for almost all the silly procedures I have to write.
|
# ? Apr 12, 2018 04:49 |