Securing Shared Workstations with Novell SecureLogin

Securing Shared Workstations with

Novell® SecureLogin

Kevin PriorTechnology [email protected]

Rajasekar PandiyanSoftware [email protected]

© Novell, Inc. All rights reserved.2

Session Content

This session will explain and demonstrate:• About shared workstations and kiosks• What is Desktop Automation Services (DAS) in the context

of kiosks• Usage of Desktop Automation Services (DAS)• How to build policy-based shared workstation protection at

the workstation and network levels• How to configure policies to lock workstations when an

authentication device is removed or when a user's session is timed out.

• Finally, a real world example of DAS from EOS Systems, who has worked with customer implementations


Kiosks or Shared Workstations

Description

• Workstation shared by several people throughout the day to provide quick access to applications. Often several users in an hour.

– Examples: health care, education, manufacturing, financial institutions, government environments

Challenges

• When users don't close the application or simply leave the workstation without logging off, they expose sensitive data to unauthorized users.


What Is The Novell® Single Sign-on Solution for Shared Workstations?• Novell has combined the value of Novell SecureLogin with

the value of DAS (Desktop Automation Services) provides: – Fast login– Fast user switching – Single sign-on

• Simplified core components to support different workstation form factors

• A solution that solves some of the key foundational pain currently in health care, retail and manufacturing

• Simple message:– One Id. One Password – One Login – Fast


DAS (Desktop Automation Services)

What is Novell® Desktop Automation Services?• An add-on to Novell SecureLogin • Handles unique use cases associated with shared workstations

or kiosks. • Executes selective and configurable lists of user operations from

virtually any scripting or programming medium on the Windows operating system.

• Most common deployment to provide fast user switching in Clinical Workstation.

• Runs locally on the workstation to handle these unique use cases. • Identity-based services can be related to the workstation, user

(attributes), or location (via IP subnet)


DAS Overview

Different versions and support details• Formerly known as the Application Runner Shell or system (ARS). • Originally written by Novell® Consulting / Custom Development• Customers currently running the older version of ARS

(DAS)version 1.0.4.13 or earlier will still be supported by NCCD but are entitled to the upgrade to DAS 2.0.

• DAS is available for no cost to all currently licensed customers of Novell SecureLogin (NSL) version 6.0 or higher.

• NSL version 3.51 or lower is not supported and customers must upgrade to NSL 6.0 or higher in order for DAS 2.0 to be installed.

• NSL 7.0 bundles the latest version (DAS 2.1) • NSL 7.0 SP1 Supports DAS in Windows 7


DAS Overview

What DAS does?

• DAS process that runs on the workstation monitors for different triggers in the workstation

• DAS executes the actions configured for a trigger scripted in an XML file

• Actions and triggers are controlled by Actions.xml file

– Configure on the workstation or in the directory

– Specified in eDirectory™ on container or user


DAS Functionality

DAS

Windows Events

Network Monitor

Executes Actions

Kill-app, map-drivends-logout, ldap-logout, ...

Screen SaverHot Key

Card Monitor

Proximity Card

Smart Card

Inactivity Timer

Configuration File(actions.xml)

Login / Logout

Novell ClientNSL

►


LDAP GINA

DAS Configuration stored in Directory

DAS

actions.xml(Local File)

actions.xml(ARSConfig object)

User

ARSUser

SecureLoginslproto.exe

Registry

eDirectoryLDAP

ARSControl

ActiveDirectory

IDM Driver

OPTIONALactions.xml(Local File)

actions.xml(ARSConfig object)

User

ARSUser

NWClient32.exe

Registry

eDirectory

ARSControl

NLDAPlgn.exe

Novell® Environment Microsoft Environment


DAS Actions and Triggers

DAS Triggers• on-nds-login• on-ldap-login• on-hot-key• on-screen-saver• On-cardmon

DAS Actions• execute-user-action• if-true• if-false• run-application

DAS Actions (continued)• test-app-running• kill-app• kill-all-apps• map-drive• map-home-drive• test-logged-in• test-ldap-logged-in• test-nds-attr-valtest-ip-subnet• test-env-variable• message-box• nds-logout• ldap-logout


Sample actions.xml

<?xml version="1.0"?>

<application-runner-script>

<action name="hidedesk">

<nds-logout />

<hide-desktop />

</action>

<action name="showdesk">

<unhide-desktop />

</action>

<action-triggers>

<on-hot-key virtual-key="s" modifiers="ctrl" action-name="showdesk"/>

<on-hot-key virtual-key="h" modifiers="ctrl" action-name="hidedesk"/>

</action-triggers>

</application-runner-script>


DAS 2.0

Key Features• Ability to quickly login and logout users (fast user switching)

using either the Novell Client™ or the LDAP client in NSL. • Novell Client is no longer necessary with DAS 2.0 as it was

with previous versions.• Provides convenience tools for the user such as:

– hot-keys, drive mappings and auto launching of applications or shutting down applications

• Support for Windows 2000 Pro, XP, and Vista• DAS can be used as a substitute for login scripts for multi-

user workstations• Card monitoring service to detect smartcard pulls and run a

series of user defined logout actionsInstallation by Microsoft Installer (MSI)


New in DAS 2.1

• Actions:– hide-desktop – unhide-desktop– Screen-Saver-On (invokes when Screen Saver is activated)

• Action Triggers:– on-inactivity-timer – on-screen-saver– on-pcprox-removal (Is this required)

• Command Line Switches– ars.exe /refresh (Refresh actions.xml during run time)– ars.exe /shutdown (Terminates DAS)


Fast User Switching

In order to provide fast user switching, one needs:• Ability to quickly log off previous user

– Screensavers– Logout button– Session time outs– Proximity and Smart Card pull– Proximity sonar devices

• Quickly shut down applications that were open and reset workstation for next user in seconds

• Disconnect shared or home drive mappings• Prompt for next user to authenticate• Lock down workstation in idle state to prevent unauthorized use• Best utilized with shared or kiosk workstations


Sample Use CasesIn Different Industries• Healthcare

– Shared workstations/kiosks at nurse stations, exam rooms, patient kiosks, mobile health care worker, remote clinics, physician offices

• Manufacturing– Factory floor shared workstation, shop floor control, stockrooms, information

kiosks, remote/mobile workers, call centers• Retail

– Point-of-Sale, stockrooms, kiosks• High Tech

– Offshore development, call centers• Financial Service

– Customer service, call centers, information kiosks, remote and offshore resources

• Education– Student labs, remote learning centers


DAS Use Case Example #1

• Workstation is configured to boot-up and auto-login to Windows Desktop and AD Domain automatically

• Novell® Client is presented for users to authenticate to eDirectory™ and get their Netware® drive mappings

• 3-5 users may use the workstation in a single hour (multiple Windows profiles to manage)

• Common in education, financial services, government

Issue: How do you ensure the previous user is logged out or all active applications and the workstation is ready for the next user without having to completely restart the Windows o/s? Need fast user switching.


DAS Use Case Example #2

• Workstation is configured to boot-up and auto-login to windows desktop, AD Domain and NetWare® automatically (generic ID)

• Network drives are mapped at boot-up and remain the same for all users

• Users are required to log into each individual application (application level security)

• 3-10 users may use the workstation in a single hour• Common in healthcare and manufacturing

Issue: How do you ensure each user is required to authenticate once while getting SSO to their applicationsand can still provide fast login/logout?


HIT Security Questions 19th Annual HIMSS CIO Survey 2008

Which of the following security technologies are presently in place at your organization?

Which technologies does your facility planto use or implement in the next two years?

Firewalls 98.00%User Access Controls (based on role/location) 82.70%Audit Logs of Each Access to Patient Health Records 80.50%Off-site Storage 76.90%Disaster Recovery 74.60%Electronic Signature 73.30%Intrusion Prevention / Detection Service 69.70%Multi-Level Passcodes 65.10%Data Encryption 62.50%Email Encryption 61.60%Single Sign-On 35.50%Public Key Infrastructure (PKI) 27.40%Biometric Technologies (i.e. retinal scan, fingerprinttechnology) 21.80%None 1.00%Don’t Know 1.00%Other (Please specify) 0.00%

Single Sign-On 49.20%Biometric Technologies (i.e. retinal scan, fingerprinttechnology) 42.30%Email Encryption 34.20%Disaster Recovery 30.90%Data Encryption 27.00%Electronic Signature 25.40%Intrusion Prevention / Detection Service 25.10%Public Key Infrastructure (PKI) 22.50%Off-site Storage 20.80%Audit Logs of Each Access to Patient Health Records 19.90%User Access Controls (based on role/location) 17.90%Multi-Level Passcodes 16.00%Firewalls 11.10%None 0.30%Don’t Know 1.60%Other (Please specify) 0.00%


Solution Differentiators

• Shared Credentials– Web SSO, enterprise SSO, provisioning

• Identity Management Provisioning Integration– Automatic provisioning of SSO credentials

• Leverage existing directory infrastructure vs. requiring an additional identity store (no additional hardware)

– Minimizes administrative overhead– Simplifies user management– SIGNIFICANTLY improves fault tolerance, high availability, and

scalability– Support of open standards (i.e. LDAP, SAML, CCOW) and

interoperability across the enterprise


Solution Differentiators

• More multi-factor device support than any other vendor• Minimal Workstation Impact

– Does not modify the GINA– Small client footprint – Fully compatible with Microsoft and Novell® workstation

environments– Fast login/logout– Flexibility in application launching– Fully integrated with ZENworks® for desktop management

• Centrally managed. No need for dual administration.– New users have instant access to solution capabilities

Thom KirbyEOS Sytems


Who We Are

• Eos Systems is a comprehensive IT solutions provider with an increasing national presence

– We serve clients in 38 states

• Eos Systems provides consulting and solutions for clients in information-intensive fields, including:

– Banking– Law– Education– Manufacturing– Healthcare – Government


Who We Are

Identity and Security

- Identity Management- Access Management- Security Management- Compliance Management

Endpoint

- Virtualization- Resource Management- Green IT- Disaster Recovery and High Availability

Outsourced IT

- Consulting- Support Services- Product Procurement- Managed Services

Collaboration

- E-mail- Teaming- Web- Mobile

Solutionsand

Technologies


• Major Vendor certifications include: Microsoft, Citrix, Novell, Sophos, HP, IBM, Dell, Cisco, VMware, Symantec, Gwava, Netvision, MacAfee, Lenovo and 3Com.

• Eos Systems was established in 1997 and is headquartered in Boston, Massachusetts.

• Office locations:– New York City– Boston– Salt Lake City

Aligning Technology with Business Process

Who We Are


Customer Use Case for Health Care

• Environment:– Kiosk-type machines stationed in a health care environment– 3-5 different users must be able to quickly login/logout within

an hour using a PCProx/Smartcard– User access to applications/data must be controlled/enforced

• Issues: – Enforcing/controlling user access to the data is paramount

as it can involve protected/confidential customer records– Login/Logout process needs to be under 5-10 seconds,

including closing previous user active applications– Unique user authentication to eDirectory™ and ZENworks®

Configuration Management for the user to deliver drive mappings, applications, and policies


Customer Use Case for HealthCare

Solution:• Desktop Automation Services (DAS) for fast user switching

• Workstation is configured to boot-up and AutoAdminLogin to Windows Desktop and AD Domain automatically

• DAS integration script will handle Novell® Client and ZCM logout/login to run associated drive mappings, applications, policies, and printers for specific users.

• Configurable inactivity timers for automated screen saver lock and user logout from the system to ensure data/application security.

• Novell Single Sign-on integration for all user-associated applications.

• NMAS integration for PCProx security cards with eDirectory to allow fast secure logins without the need to type usernames and passwords.

Question and Answer


For More Information

• Visit table A5 in IT Central• Attend the following complementary sessions:

– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and Lifecycle

Management– IAM207: SecureLogin and Your Active Directory Setup– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin

• Walk through the SecureLogin demo in the Installation and Migration Depot

• Visit www.novell.com/securelogin

Try SecureLogin for Yourself

We'll install SecureLogin on your machine (for free).

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Securing Shared Workstations with Novell SecureLogin

Documents

Transcript of Securing Shared Workstations with Novell SecureLogin