|
Posted by Vin McLellan on August 11, 2007, 10:32 pm
Please log in for more thread options
Vin McLellan (me) wrote:
>> (RSA, for several years, sold a solution that implemented domain
>> enforcement of the SecurID authentication, however it turned out to
>> not scale. Some competitors copied that architecture, and built the
>> same offering. RSA's evaluation of these products is that they will
>> inevitably experience same scalability issues that bedeviled RSA's
>> solution, since the OS integration points are the same.)
DaveMo, steeped in his experience as a MS developer and program
manager, responded:
>With all due respect, this is because RSA (and apparently everyone
>else) didn't use the correct solution.
And, pray tell, whose fault was that? I was working for the govt
while this solution was in development, but I came back to work for
RSA,
as a consultant, on the day this product was announced. I well
remember, the RSA product manager celebrating the close working
relationship between his developers and their counterparts at MS.
As scaling issues arose, it also became clear that the MS folks RSA
had worked with were as surprised and dismayed as the RSA guys in
Bedford. At the time, it didn't seem that anybody speaking for MS
knew anything about any alternative interface options.
>While working with a 2 factor
>ISV, my team implemented a solution that enforces use of the 2 factor
>authentication mechanism and it scales just fine.
As you noted, there were a whole bunch of companies which apparently
took the wrong turn. Can you please point to the interfaces that
would allow anyone to most effectively implement centrally-managed
2FA? I trust they are public and accessible to anyone who can
search MSDN? Or maybe not?
>As a security person, I find this to be an important aspect of the
>overall solution. If the 2 factor solution can be circumvented simply
>by removing or disabling the client-side component, then it isn't much
>of a security solution IMO.
I'm sure your guidance on interface options will be appreciated by a
lot of other security persons, both within MS and without.
I take mild umbrage at your suggestion that the alternatives RSA came
up with are somehow lacking in effective access control. With either
RSA's certificates or with the "hardened" passwords in play,
"removing
or disabling" the client-side component from the end-point machine
will
not allow an attacker illicit access to the protected resources. I
think this
is apparent to most objective observers. Customers buy it.
RSA, I humbly suggest, has a suite of effective solutions for
Microsoft
Windows. There are different RSA Authentication Agents that play
within
these solutions to provide trustworthy 2FA access controls for the
enterprise: remote, local, and web access.
Suerte,
_Vin
|
|
Posted by S. Pidgorny on August 12, 2007, 5:13 am
Please log in for more thread options
G'day:
>>With all due respect, this is because RSA (and apparently everyone
>>else) didn't use the correct solution.
>
> And, pray tell, whose fault was that? I was working for the govt
> while this solution was in development, but I came back to work for
> RSA,
> as a consultant, on the day this product was announced. I well
> remember, the RSA product manager celebrating the close working
> relationship between his developers and their counterparts at MS.
> As scaling issues arose, it also became clear that the MS folks RSA
> had worked with were as surprised and dismayed as the RSA guys in
> Bedford. At the time, it didn't seem that anybody speaking for MS
> knew anything about any alternative interface options.
What is the interface in question? Am I any close suggesting LDAP
performance issues (that are entirely RSA's fault) - I have experienced
those elsewhere, but I didn't try Windows login integration.
One of the reasons is that RSA's login integration broke Microsoft 802.1x,
according to reliable source (TechEd Europe 2005 lab)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
|
|
Posted by Vin McLellan on August 13, 2007, 12:00 am
Please log in for more thread options Vin McLellan (me) wrote:
>> (RSA, for several years, sold a solution that implemented domain
>> enforcement of the SecurID authentication, however it turned out to
>> not scale. Some competitors copied that architecture, and built the
>> same offering. RSA's evaluation of these products is that they will
>> inevitably experience same scalability issues that bedeviled RSA's
>> solution, since the OS integration points are the same.)
DaveMo, steeped in his experience as a MS developer and program
manager, responded:
>With all due respect, this is because RSA (and apparently everyone
>else) didn't use the correct solution.
And, pray tell, whose fault was that? I was working for the govt while
this solution was in development, but showed up at RSA, on an outside
consultant's gig, the day this product was announced. I well remember
the RSA product manager celebrating the close working relationship
between his developers and their counterparts at MS. As scaling issues
arose, it also became clear that the MS folks RSA had worked with were
as surprised and dismayed as the RSA guys in Bedford. At the time, it
didn't seem that anybody speaking for MS knew anything about any
alternative OS interface options.
>While working with a 2 factor
>ISV, my team implemented a solution that enforces use of the 2 factor
>authentication mechanism and it scales just fine.
As you noted, there were a whole bunch of companies which apparently
took the wrong turn. Can you please point to the OS interfaces that
would allow anyone to most effectively implement centrally-managed
2FA? I trust they are public and accessible to anyone who can search
MSDN? Or maybe not?
>As a security person, I find this to be an important aspect of the
>overall solution. If the 2 factor solution can be circumvented simply
>by removing or disabling the client-side component, then it isn't much
>of a security solution IMO.
I'm sure your guidance on interface options will be appreciated by a
lot of other security persons, both within MS and without.
I take mild umbrage at your suggestion that the alternatives RSA came
up with are somehow lacking in effective access control. With either
RSA's certificates or with the "hardened" passwords in play, "removing
or disabling" the client-side component from the end-point machine
will not allow an attacker illicit access to the protected resources.
I think this is apparent to most objective observers. Customers buy
it.
RSA, I humbly suggest, has a suite of effective solutions for
Microsoft Windows. There are different RSA Authentication Agents that
play within these solutions to provide trustworthy 2FA access controls
for the enterprise: remote, local, and web access.
Suerte,
_Vin
|
|
Posted by Mark Schubert on August 5, 2007, 4:37 pm
Please log in for more thread options Hi,
I would opt for the sicrypt smart cards.
Advantages:
- CSP already included in Windows
- AD integration
- Rollout works out of the box with the windows CA
- etc.... Just google for more.
In case you would use other smart cards then sicrypt you could opt for the
Aloaha Card Connector. It supports a broad range of cards out of the box. In
case you purchase not supported cards the guys of Aloaha make your card work
in a couple of days.
Good Luck!
> Hello all,
>
> I don't know if this is the right group to pose this question to and if
> it's not, I apologize ahead of time. I'm wondering if anybody out there
> can recommend a good two-factor authentication solution that meets the
> following
|
| Similar Threads | Posted | | firewall recommendation | December 6, 2005, 5:42 pm |
| Finding Product Keys | July 16, 2007, 5:47 am |
| Is TrueCrypt good? | August 15, 2006, 2:26 pm |
| Hardware firewall recommendation... | May 28, 2008, 10:30 am |
| FileSystemAuditing doesn't work good | October 17, 2006, 8:34 am |
| Good approach for certificates? | January 30, 2007, 7:05 am |
| Product to Automatically Change Local Passwords? | August 31, 2006, 4:07 am |
| product that scans pc at login for up-to-date patches? | November 29, 2007, 4:39 pm |
| Please recommend good basic Win Server 2003 R2 security book(s) | February 16, 2008, 12:38 pm |
| Kerberos machine authentication - apparent authentication failures | May 30, 2005, 10:35 am |
|
XML Sitemap