Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecMichael Kelly
Version 1.2e
Is Single Sign on a Security Risk?
s.
ht
rig
Introduction
ull
There used to be a time when the majority of computer operators and people alike
maintained one user ID and password. With the introduction of platforms such as
f
Microsoft Windows, and with the continual lowering of hardware costs capable of
ns
hosting
Key Unix systems.
fingerprint = AF19 This
FA27is2F94
no longer
998Dthe case.DE3D
FDB5 ManyF8B5
of the06E4
applications
A169 4E46hosted by
tai
high end systems like Mainframes have been distributed amongst multiple client server
re
systems. If this didn’t cause organizations enough foods for thought, lets add e-
commerce to the equation. With each different OS, Application and security database
or
introduced comes its own unique group of issues. Every day that passes organizations
th
change not only the technology they use but also the people that maintain the
environment. This extremely fast progression has introduced many concerns for
Au
organizations large and small.
2,
What is the issues progression has introduced?
00
-2
It is inevitable that with progression comes some amount of pain. Without
understanding all the issues it would be very difficult to investigate an SSO Solution.
00
Once the issues are understood it will be easier to determine if SSO is a security risk or a
20
technology that helps alleviate security risks. Some of these issues are.
te
Introduction of new OS, Application and Security Databases
tu
Social Engineering
Continual changing of human resources
sti
Security
In
Introduction of new OS, Application and Security Databases
NS
There are hundreds if not a thousand of different OS/Applications and Security databases
SA
within the industry today. Many organizations have internally developed applications
that authenticate to proprietary databases. As it is rare that all these different components
©
are managed and maintained by the same (Ever changing) department, it is less likely that
standardization has taken place. User name and password restrictions would all benefit
from standardization. The many user ids and passwords that users have to manage causes
confusion. A good percentage of a users time is spent login onto system resources.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
“The Securities Industries Association, based in Washington, D.C., found that users
spend an average of 44.4 hours a year logging on to (an average of) four applications a
day.”
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.www-4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html
More and more organizations are moving towards e-commerce. Providing services and
product to customer’s worldwide introduces an even greater need for user control. Many
s.
of the databases previously used for internal applications only have now been web
ht
enabled. It is important that a mechanism be in place to allow customer to transparently
rig
navigate across multiple web servers.
ull
Social engineering
f
With the introduction of so many systems it is possible that users will forget their user id
ns
or password
Key and= eventually
fingerprint AF19 FA27lock themselves
2F94 998D FDB5out.DE3D
Unfortunately
F8B5 06E4 thisA169
happens
4E46frequently.
tai
Help desk personnel are overwhelmed with the amount of calls regarding password reset
re
and account activation.
or
“META Group reports that 15-30% of all support calls are caused by forgotten or expired
th
passwords. The cost to manually reset passwords ranges from $15-30 per call, and on
average, users call help desks with a password problem 4 times a year..”
Au
http://www.courion.com/solutions/index.asp
2,
00
This can increase the possibility of an individual social engineering the Help Desk. Under
-2
high stress people are less likely to follow the guidelines that are in place. Guidelines
that dictate being absolutely positive the person that is requesting the password reset is
00
who they say they are. Solutions have been developed to reduce the security risk of
20
social engineering.
te
These types of systems allow end users to answer a variety of questions through
tu
automated telephone services. Once the correct response has been entered the account is
reset and in some cases e-mailed back to the end user. These types of systems are
sti
widely used within the Internet community. If you forget your password on one of the
In
popular search engine e-mail systems, you can select to have a new one created.
Answering the correct question will reveal a new password.
NS
Continual changing or human resources
SA
The technology is not the only frequent change within an organization. People come and
©
go and along with that come the variety of user accounts across the enterprise. As users
have so many accounts it becomes extremely hard for administrators to track and
deactivate/delete accounts as people leave the organization.
Security
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Each operating system and application has its own set of security requirements for both
user id and password. Some security databases by default requires that the first character
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.of the password be a numeric. Other operating systems will not allow repeating
characters within a password. For example AAMIKE would fail because the letter A
follows the first letter A. As many operating systems have such a diverse set of
restrictions it is possible that organizations will remove the restrictions (Where possible)
to reduce the amount of user frustration and calls to the help desk. This also is in an
s.
effort to reduce the amount of sticky notes taped to monitors containing the user id and
ht
password. Security often competes with convenience in many different areas within an
rig
organization. Reducing password restrictions for end user convenience may or may not
be an acceptable sacrifice.
ull
What is Single Sign On?
f
ns
SSOfingerprint
Key in short is =theAF19
ability to authenticate
FA27 2F94 998D once
FDB5and never
DE3D have06E4
F8B5 to repeat
A169the4E46
process for
tai
the duration of the session. Many solutions are available throughout the market that
re
provides SSO capabilities. As a whole they all provide some form of Authentication,
Authorization, Access control and password synchronization. SSO solutions are
or
available for both organizations moving towards e-commerce as well as enterprise
th
networked environments.
Authentication and Authorization
Au
2,
Authentication is the process of a user being identified as who they say they are. SSO
00
applications either take advantage of the existing databases within the organizations or
-2
require the implementation of a proprietary database. Software vendors such as Novell
and Microsoft have developed highly scalable Databases (Also known as Directories)
00
that can be implemented into existing environments. These databases provide central
20
repositories for user information and can be integrated into some of the available SSO
solutions. Once a user has successfully authenticated they are then authorized to access
te
various system resources. There are different types of authentications
tu
Single Factor—Single factor authentication is when the user is only required to produce
sti
one piece of information. The most common single factor authentication method would
In
be passwords (Something you know). Biometrics (Something you are) although
considered more secure than a password, when used independently it is still referred to as
NS
Single Factor Authentication.
SA
Two Factor —Two factor authentication is the combination of two single factor
authentications. During an authentication process if a user is asked for both his password
©
(Something you know) and a digital certificate (Something you own) then this would
become a two factor authentication.
Typically SSO products contain a central server. The central server is responsible for
authenticating
Key fingerprintthe user against
= AF19 one of
FA27 2F94 the security
998D FDB5 DE3Ddatabases
F8B5within
06E4 the
A169organization.
4E46
This is usually the database where all the users accounts exist. Security databases such as
Windows NT SAM, Active Directory and IBM’s RACF are common authentication
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.options with SSO Products. These all provide single factor authentication. Extending
security databases to support tokens and PKI would provide two factor authentication.
Within an enterprise environment users authenticate to the central server with the aid of
client code. Once the user has successfully authenticated to the central server the
s.
network logon is allowed to continue.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
Access Control
SA
The level of access control that SSO can provide will differ depending on the solution as
well as the intended end users.
©
SSO solutions for Web Servers typically provide content protection for web-enabled
applications. After a user has successfully authenticated they are then allowed to access
areas of the web server that the associated roll permits. A role is a list of ACL associated
with one or more user Id’s. Once authenticated, the user is then granted a session id. The
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
session can be used to validate the user as they move about multiple web servers without
requiring multiple authentications. This provides SSO for Web Users.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Users of corporate networks are presented with a graphical interface of applications they
are allowed to access. The user points and clicks the application they want to launch.
The credentials for that user (e.g. Non standardized user id) and application information
are retrieved from the central server and provided to the application.
s.
SSO products achieve transparent sign on in one of two ways.
ht
rig
Scripted—Scripted Sign On is the process of playing keystrokes back to an application.
When the application is launched, the keystrokes are played back to the application as if
ull
the user was typing it in. The user Id and passwords are stored in the scripts as variables.
Storing critical information as variables allows one script to be shared by many users for
f
the same application. The variables values are pulled down from the central server at
ns
application
Key launch.
fingerprint Scripted
= AF19 FA27Sign
2F94On998D
has to be initiated
FDB5 by the06E4
DE3D F8B5 end user.
A169Automatically
4E46
tai
launching the applications at logon would create multiple unnecessary active sessions to
re
the applications
or
Integrated—Integrated SSO allows for tight integration with applications. Applications
th
that have been developed to integrate with SSO allow for information to be passed about
the user without the need for scripts. The process is invisible to the end user. In addition
Au
the SDK’s provided with SSO solutions allow for the same integration with proprietary
applications.
2,
00
Password\account status Synchronization
-2
Password synchronization is the ability to synchronize passwords around the corporate
00
network. This is a vital aspect for SSO and can be considered the Back Bone of the
20
solution. Passwords are captured from one or more security databases and then
distribute vie the central server around the enterprise network.
te
tu
The central server is typically the controlling component of a SSO solution. Disabling
accounts from the central server triggers a chain of events that propagate down to the
sti
desired systems disabling the user account. The propagation of account status would also
In
occur if the maximum bad logon count was reached.
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
Conclusion
20
Security Personnel become concerned that SSO and password synchronization creates a
te
security risk. If the password is the same across all security databases then the users
tu
account is only as secure as the weakest operating systems security. There are many
sti
aspects of SSO that counteract the concern.
In
• Less Secured systems can be excluded from the SSO Enterprise environment.
Many of the solutions available are multi tier by design and don’t require all users
NS
or systems to participate. Careful consideration can be given to who and what is
SA
included within the SSO Enterprise.
•
©
Administrators are able to enforce more stringent password restrictions across the
environment from the central server. Restrictions such as minimum length,
password expiry time and invalid dictionary lists. Individual OS and application
restrictions can be brought inline with the central servers configuration.
Key•fingerprint
Password = AF19 FA27 2F94reduces
Synchronization 998D FDB5
users DE3D F8B5With
confusion. 06E4only
A169
one4E46
password to
remember it is less likely that the password will be wrote down on a piece of
paper.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• SSO products that allow end users to reset the password after successfully
answering a variety of questions reduces help desk cost and risk of social
engineering.
• Employees that leave organizations can quickly be deactivated on all systems
s.
from one location.
ht
rig
• Authentication to less secure operating systems can be enhanced with two factor
authentication.
ull
•
f
With little intervention required to sign on to applications the process is less likely
ns
to fail and cause volume helpdesk calls
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Systems are vulnerable to attack. The strongest security databases have weaknesses that
re
can be exploited. Host based and Network based vulnerability assessment tools help to
ensure that system configuration is inline with internal policy’s. SSO facilitates the
or
authentication process and removes a good deal of pain from end users, helpdesk and
th
administrators.
Au
SSO, Vulnerability assessment and intrusion detection can all help to improve the level of
security within an organization. After all, Security is all about layers.
2,
00
-2
http://www.eu.microsoft.com/windows2000/sfu/psync.asp
00
http://www.novell.com/products/nds/details.html
20
http://www.networkcomputing.com/1006/1006f12.html
te
tu
http://www-
4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html
sti
In
http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp
NS
http://www.courion.com/solutions/index.asp
SA
http://www.fipass.com/corporate/authentication.asp
©
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=526
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=53&PID=3449
195
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=55&PID=3449
195#sso
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.http://www.blockade.com/products/blk_prod_ov.pdf
http://www.hut.fi/~totervo/netsec98/sso.html
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: April 20th, 2019
Upcoming Training
SANS Northern Virginia- Alexandria 2019 Alexandria, VA Apr 23, 2019 - Apr 28, 2019 Live Event
SANS Pen Test Austin 2019 Austin, TX Apr 29, 2019 - May 04, 2019 Live Event
Community SANS New York SEC401 New York, NY May 06, 2019 - May 11, 2019 Community SANS
SANS Security West 2019 San Diego, CA May 09, 2019 - May 16, 2019 Live Event
Community SANS Omaha SEC401 Omaha, NE May 13, 2019 - May 18, 2019 Community SANS
Community SANS Annapolis Junction SEC401 Annapolis Junction, MD May 13, 2019 - May 18, 2019 Community SANS
SANS Northern VA Spring- Reston 2019 Reston, VA May 19, 2019 - May 24, 2019 Live Event
SANS New Orleans 2019 New Orleans, LA May 19, 2019 - May 24, 2019 Live Event
SANS Autumn Sydney 2019 Sydney, Australia May 20, 2019 - May 25, 2019 Live Event
SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event
San Antonio 2019 - SEC401: Security Essentials Bootcamp Style San Antonio, TX May 28, 2019 - Jun 02, 2019 vLive
SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event
Mentor Session - SEC401 Austin, TX Jun 01, 2019 - Jun 29, 2019 Mentor
Mentor Session @work - SEC401 Birmingham, AL Jun 03, 2019 - Jul 08, 2019 Mentor
SANS London June 2019 London, United Jun 03, 2019 - Jun 08, 2019 Live Event
Kingdom
Mentor Session - SEC401 Tysons, VA Jun 08, 2019 - Jul 13, 2019 Mentor
Community SANS Tampa SEC401 Tampa, FL Jun 10, 2019 - Jun 15, 2019 Community SANS
SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event
SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event
Community SANS Raymondville SEC401 Raymondville, TX Jun 17, 2019 - Jun 22, 2019 Community SANS
SANSFIRE 2019 - SEC401: Security Essentials Bootcamp Style Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive
SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event
Community SANS Cupertino SEC401 Cupertino, CA Jun 24, 2019 - Jun 29, 2019 Community SANS
SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event
SANS Charlotte 2019 Charlotte, NC Jul 08, 2019 - Jul 13, 2019 Live Event
Community SANS Ottawa SEC401 Ottawa, ON Jul 08, 2019 - Jul 13, 2019 Community SANS
SANS Cyber Defence Singapore 2019 Singapore, Singapore Jul 08, 2019 - Jul 20, 2019 Live Event
Pittsburgh 2019 - SEC401: Security Essentials Bootcamp Style Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive
SANS London July 2019 London, United Jul 08, 2019 - Jul 13, 2019 Live Event
Kingdom
SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event
SANS Columbia 2019 Columbia, MD Jul 15, 2019 - Jul 20, 2019 Live EventYou can also read
