Securing Shared Workstations with Novell SecureLogin
description
Transcript of Securing Shared Workstations with Novell SecureLogin
Securing Shared Workstations with
Novell® SecureLogin
Kevin PriorTechnology [email protected]
Rajasekar PandiyanSoftware [email protected]
© Novell, Inc. All rights reserved.2
Session Content
This session will explain and demonstrate:• About shared workstations and kiosks• What is Desktop Automation Services (DAS) in the context
of kiosks• Usage of Desktop Automation Services (DAS)• How to build policy-based shared workstation protection at
the workstation and network levels• How to configure policies to lock workstations when an
authentication device is removed or when a user's session is timed out.
• Finally, a real world example of DAS from EOS Systems, who has worked with customer implementations
© Novell, Inc. All rights reserved.3
Kiosks or Shared Workstations
Description
• Workstation shared by several people throughout the day to provide quick access to applications. Often several users in an hour.
– Examples: health care, education, manufacturing, financial institutions, government environments
Challenges
• When users don't close the application or simply leave the workstation without logging off, they expose sensitive data to unauthorized users.
© Novell, Inc. All rights reserved.4
What Is The Novell® Single Sign-on Solution for Shared Workstations?• Novell has combined the value of Novell SecureLogin with
the value of DAS (Desktop Automation Services) provides: – Fast login– Fast user switching – Single sign-on
• Simplified core components to support different workstation form factors
• A solution that solves some of the key foundational pain currently in health care, retail and manufacturing
• Simple message:– One Id. One Password – One Login – Fast
© Novell, Inc. All rights reserved.5
DAS (Desktop Automation Services)
What is Novell® Desktop Automation Services?• An add-on to Novell SecureLogin • Handles unique use cases associated with shared workstations
or kiosks. • Executes selective and configurable lists of user operations from
virtually any scripting or programming medium on the Windows operating system.
• Most common deployment to provide fast user switching in Clinical Workstation.
• Runs locally on the workstation to handle these unique use cases. • Identity-based services can be related to the workstation, user
(attributes), or location (via IP subnet)
© Novell, Inc. All rights reserved.6
DAS Overview
Different versions and support details• Formerly known as the Application Runner Shell or system (ARS). • Originally written by Novell® Consulting / Custom Development• Customers currently running the older version of ARS
(DAS)version 1.0.4.13 or earlier will still be supported by NCCD but are entitled to the upgrade to DAS 2.0.
• DAS is available for no cost to all currently licensed customers of Novell SecureLogin (NSL) version 6.0 or higher.
• NSL version 3.51 or lower is not supported and customers must upgrade to NSL 6.0 or higher in order for DAS 2.0 to be installed.
• NSL 7.0 bundles the latest version (DAS 2.1) • NSL 7.0 SP1 Supports DAS in Windows 7
© Novell, Inc. All rights reserved.7
DAS Overview
What DAS does?
• DAS process that runs on the workstation monitors for different triggers in the workstation
• DAS executes the actions configured for a trigger scripted in an XML file
• Actions and triggers are controlled by Actions.xml file
– Configure on the workstation or in the directory
– Specified in eDirectory™ on container or user
© Novell, Inc. All rights reserved.8
DAS Functionality
DAS
Windows Events
Network Monitor
Executes Actions
Kill-app, map-drivends-logout, ldap-logout, ...
Screen SaverHot Key
Card Monitor
Proximity Card
Smart Card
Inactivity Timer
Configuration File(actions.xml)
Login / Logout
Novell ClientNSL
►
© Novell, Inc. All rights reserved.9
LDAP GINA
DAS Configuration stored in Directory
DAS
actions.xml(Local File)
actions.xml(ARSConfig object)
User
ARSUser
SecureLoginslproto.exe
Registry
eDirectoryLDAP
ARSControl
ActiveDirectory
IDM Driver
OPTIONALactions.xml(Local File)
actions.xml(ARSConfig object)
User
ARSUser
NWClient32.exe
Registry
eDirectory
ARSControl
NLDAPlgn.exe
Novell® Environment Microsoft Environment
© Novell, Inc. All rights reserved.10
DAS Actions and Triggers
DAS Triggers• on-nds-login• on-ldap-login• on-hot-key• on-screen-saver• On-cardmon
DAS Actions• execute-user-action• if-true• if-false• run-application
DAS Actions (continued)• test-app-running• kill-app• kill-all-apps• map-drive• map-home-drive• test-logged-in• test-ldap-logged-in• test-nds-attr-valtest-ip-subnet• test-env-variable• message-box• nds-logout• ldap-logout
© Novell, Inc. All rights reserved.11
Sample actions.xml
<?xml version="1.0"?>
<application-runner-script>
<action name="hidedesk">
<nds-logout />
<hide-desktop />
</action>
<action name="showdesk">
<unhide-desktop />
</action>
<action-triggers>
<on-hot-key virtual-key="s" modifiers="ctrl" action-name="showdesk"/>
<on-hot-key virtual-key="h" modifiers="ctrl" action-name="hidedesk"/>
</action-triggers>
</application-runner-script>
© Novell, Inc. All rights reserved.12
DAS 2.0
Key Features• Ability to quickly login and logout users (fast user switching)
using either the Novell Client™ or the LDAP client in NSL. • Novell Client is no longer necessary with DAS 2.0 as it was
with previous versions.• Provides convenience tools for the user such as:
– hot-keys, drive mappings and auto launching of applications or shutting down applications
• Support for Windows 2000 Pro, XP, and Vista• DAS can be used as a substitute for login scripts for multi-
user workstations• Card monitoring service to detect smartcard pulls and run a
series of user defined logout actionsInstallation by Microsoft Installer (MSI)
© Novell, Inc. All rights reserved.13
New in DAS 2.1
• Actions:– hide-desktop – unhide-desktop– Screen-Saver-On (invokes when Screen Saver is activated)
• Action Triggers:– on-inactivity-timer – on-screen-saver– on-pcprox-removal (Is this required)
• Command Line Switches– ars.exe /refresh (Refresh actions.xml during run time)– ars.exe /shutdown (Terminates DAS)
© Novell, Inc. All rights reserved.14
Fast User Switching
In order to provide fast user switching, one needs:• Ability to quickly log off previous user
– Screensavers– Logout button– Session time outs– Proximity and Smart Card pull– Proximity sonar devices
• Quickly shut down applications that were open and reset workstation for next user in seconds
• Disconnect shared or home drive mappings• Prompt for next user to authenticate• Lock down workstation in idle state to prevent unauthorized use• Best utilized with shared or kiosk workstations
© Novell, Inc. All rights reserved.15
Sample Use CasesIn Different Industries• Healthcare
– Shared workstations/kiosks at nurse stations, exam rooms, patient kiosks, mobile health care worker, remote clinics, physician offices
• Manufacturing– Factory floor shared workstation, shop floor control, stockrooms, information
kiosks, remote/mobile workers, call centers• Retail
– Point-of-Sale, stockrooms, kiosks• High Tech
– Offshore development, call centers• Financial Service
– Customer service, call centers, information kiosks, remote and offshore resources
• Education– Student labs, remote learning centers
© Novell, Inc. All rights reserved.16
DAS Use Case Example #1
• Workstation is configured to boot-up and auto-login to Windows Desktop and AD Domain automatically
• Novell® Client is presented for users to authenticate to eDirectory™ and get their Netware® drive mappings
• 3-5 users may use the workstation in a single hour (multiple Windows profiles to manage)
• Common in education, financial services, government
Issue: How do you ensure the previous user is logged out or all active applications and the workstation is ready for the next user without having to completely restart the Windows o/s? Need fast user switching.
© Novell, Inc. All rights reserved.17
DAS Use Case Example #2
• Workstation is configured to boot-up and auto-login to windows desktop, AD Domain and NetWare® automatically (generic ID)
• Network drives are mapped at boot-up and remain the same for all users
• Users are required to log into each individual application (application level security)
• 3-10 users may use the workstation in a single hour• Common in healthcare and manufacturing
Issue: How do you ensure each user is required to authenticate once while getting SSO to their applicationsand can still provide fast login/logout?
© Novell, Inc. All rights reserved.18
HIT Security Questions 19th Annual HIMSS CIO Survey 2008
Which of the following security technologies are presently in place at your organization?
Which technologies does your facility planto use or implement in the next two years?
Firewalls 98.00%User Access Controls (based on role/location) 82.70%Audit Logs of Each Access to Patient Health Records 80.50%Off-site Storage 76.90%Disaster Recovery 74.60%Electronic Signature 73.30%Intrusion Prevention / Detection Service 69.70%Multi-Level Passcodes 65.10%Data Encryption 62.50%Email Encryption 61.60%Single Sign-On 35.50%Public Key Infrastructure (PKI) 27.40%Biometric Technologies (i.e. retinal scan, fingerprinttechnology) 21.80%None 1.00%Don’t Know 1.00%Other (Please specify) 0.00%
Single Sign-On 49.20%Biometric Technologies (i.e. retinal scan, fingerprinttechnology) 42.30%Email Encryption 34.20%Disaster Recovery 30.90%Data Encryption 27.00%Electronic Signature 25.40%Intrusion Prevention / Detection Service 25.10%Public Key Infrastructure (PKI) 22.50%Off-site Storage 20.80%Audit Logs of Each Access to Patient Health Records 19.90%User Access Controls (based on role/location) 17.90%Multi-Level Passcodes 16.00%Firewalls 11.10%None 0.30%Don’t Know 1.60%Other (Please specify) 0.00%
© Novell, Inc. All rights reserved.19
Solution Differentiators
• Shared Credentials– Web SSO, enterprise SSO, provisioning
• Identity Management Provisioning Integration– Automatic provisioning of SSO credentials
• Leverage existing directory infrastructure vs. requiring an additional identity store (no additional hardware)
– Minimizes administrative overhead– Simplifies user management– SIGNIFICANTLY improves fault tolerance, high availability, and
scalability– Support of open standards (i.e. LDAP, SAML, CCOW) and
interoperability across the enterprise
© Novell, Inc. All rights reserved.20
Solution Differentiators
• More multi-factor device support than any other vendor• Minimal Workstation Impact
– Does not modify the GINA– Small client footprint – Fully compatible with Microsoft and Novell® workstation
environments– Fast login/logout– Flexibility in application launching– Fully integrated with ZENworks® for desktop management
• Centrally managed. No need for dual administration.– New users have instant access to solution capabilities
Thom KirbyEOS Sytems
© Novell, Inc. All rights reserved.22
Who We Are
• Eos Systems is a comprehensive IT solutions provider with an increasing national presence
– We serve clients in 38 states
• Eos Systems provides consulting and solutions for clients in information-intensive fields, including:
– Banking– Law– Education– Manufacturing– Healthcare – Government
© Novell, Inc. All rights reserved.23
Who We Are
Identity and Security
- Identity Management- Access Management- Security Management- Compliance Management
Endpoint
- Virtualization- Resource Management- Green IT- Disaster Recovery and High Availability
Outsourced IT
- Consulting- Support Services- Product Procurement- Managed Services
Collaboration
- E-mail- Teaming- Web- Mobile
Solutionsand
Technologies
© Novell, Inc. All rights reserved.24
• Major Vendor certifications include: Microsoft, Citrix, Novell, Sophos, HP, IBM, Dell, Cisco, VMware, Symantec, Gwava, Netvision, MacAfee, Lenovo and 3Com.
• Eos Systems was established in 1997 and is headquartered in Boston, Massachusetts.
• Office locations:– New York City– Boston– Salt Lake City
Aligning Technology with Business Process
Who We Are
© Novell, Inc. All rights reserved.25
Customer Use Case for Health Care
• Environment:– Kiosk-type machines stationed in a health care environment– 3-5 different users must be able to quickly login/logout within
an hour using a PCProx/Smartcard– User access to applications/data must be controlled/enforced
• Issues: – Enforcing/controlling user access to the data is paramount
as it can involve protected/confidential customer records– Login/Logout process needs to be under 5-10 seconds,
including closing previous user active applications– Unique user authentication to eDirectory™ and ZENworks®
Configuration Management for the user to deliver drive mappings, applications, and policies
© Novell, Inc. All rights reserved.26
Customer Use Case for HealthCare
Solution:• Desktop Automation Services (DAS) for fast user switching
• Workstation is configured to boot-up and AutoAdminLogin to Windows Desktop and AD Domain automatically
• DAS integration script will handle Novell® Client and ZCM logout/login to run associated drive mappings, applications, policies, and printers for specific users.
• Configurable inactivity timers for automated screen saver lock and user logout from the system to ensure data/application security.
• Novell Single Sign-on integration for all user-associated applications.
• NMAS integration for PCProx security cards with eDirectory to allow fast secure logins without the need to type usernames and passwords.
Question and Answer
© Novell, Inc. All rights reserved.28
For More Information
• Visit table A5 in IT Central• Attend the following complementary sessions:
– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and Lifecycle
Management– IAM207: SecureLogin and Your Active Directory Setup– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin
• Walk through the SecureLogin demo in the Installation and Migration Depot
• Visit www.novell.com/securelogin
Try SecureLogin for Yourself
We'll install SecureLogin on your machine (for free).
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.