Know Who is Connected Using Two-factor Authentication

Know Who is Connected Using Two-factor Authentication

Usernames and passwords have long been the standard for user authentication. Windows NT improved on this concept by adding a machine account that was needed to log into a domain. Although this was good for domain logins it could be bypassed to attach to network resources via pass-through authentication. Many companies need stronger methods of authentication. This is especially critical when dealing with remote users. Modem pools and VPN devices are relatively easy to find. Malicious hackers can spend time trying to get through these devices with relative impunity. This concern is addressed by the concept of two-factor authentication such as smartcards and biometric authentication.

Utilizing Smartcards

A smartcard is a portable programmable device containing an integrated circuit that stores and processes information. Smartcards traditionally take the form of a device the size of a credit card that is placed into a reader but they can also be USB-based devices or integrated into employee badges. Windows 2003 and Windows XP have native support for smartcards as an authentication method. Smartcards are combined with a PIN, which can be thought of as a password, to provide two-factor authentication. Physical possession of the smartcard and knowledge of the PIN must be combined to successfully authenticate.

To use a smartcard, a domain user must have a smart card certificate. The administrator must prepare a Certificate Authority (CA) to issue smart card certificates before the CA can issue them. The CA needs both the Smart Card Logon and Enrollment Agent certificate templates installed. If smart card certificates for secure e-mail messages are to be used, the administrator must also install the Smart Card User certificate template.

To configure a Windows-based Enterprise CA to Issue Smart Card Certificates, follow these steps:

1. Log on to an Enterprise CA. Be sure to use a domain administrator account.

2. From the Start menu choose Programs, Administrative Tools, Certification Authority.

3. In the Certification Authority console, expand your domain, right-click the Certificate Template container, and select New, Certificate Template to Issue.

4. In the Enable Certificate Template dialog box, select Smartcard User, and then click OK.

5. Right-click on the Certificate Template container, and click Manage. This will open up the Certificate Templates MMC.

6. In Select Certificate Template MMC, right-click on the Smartcard User and select Properties.

7. Click on the Security tab. Click on the Add button and choose the group for which you want to add smartcard access (in this example, a Smartcard Users group whose members are employees with smartcards was added to Active Directory).

8. Select Read and Enroll for Permissions as shown in Figure 1.4, and then click OK.

   Figure 1.4. Adding a group for smartcard logon authentication.

   

Leveraging Biometrics to Enhance Security

Biometrics refers to unique biological information that can be used to determine the identity of a user. This, combined with a name /password authentication, provides a two-factor authentication that cannot be duplicated . Thumbprints, bone density, and retinal patterns are all commonly used with biometric security.

Third-party biometric solutions leverage proprietary authentication mechanisms to work in tandem with existing authentication protocols in network operating systems. Technologies like retinal scanners are usually standalone devices whereas items like fingerprint readers can integrate into the user's keyboard.