| Author | Messages | |
Tony
Posts:53
 | | 10/05/2006 2:33 AM |
| I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line.
In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| jeremyts
Posts:0
| | 10/05/2006 3:05 AM |
| Hi Tony,
I agree with your concern. I don't want to go off topic, or push someone
elses product, but Citrix Password Manager will do this, and provide
complete security. It can run in disconnected mode and does not need a
Citrix server in-place for it to work. I'm sure there are other solutions
out there too, but if it's just authentication they need, then this is the
one I would recommend if you wanted a software based solution. A product
like Citrix Password Manager can add a lot more value too. Whereas this
ADAM application they are developing sounds like a considerable amount of
development for just one purpose. That usually means big bucks.
Cheers.
Kind regards,
Jeremy Saunders
Senior Technical Specialist
Infrastructure Technology Services
(ITS) & Cerulean
Global Technology Services (GTS)
IBM Australia
Level 2, 1060 Hay Street
West Perth WA 6005
Visit us at
http://www.ibm.com/services/au/its
P: +61 8 9261 8412 F: +61 8 9261 8486
M: TBA E-mail:
jeremy.saunders@xxxxxxxxxxx
"Tony Murray"
To
Sent by:
ActiveDir-owner@m cc
ail.activedir.org
Subject
[ActiveDir] ADAM on XP Pro
05/10/2006 10:33
AM
Please respond to
ActiveDir@xxxxxxx
tivedir.org
I've been talking to a vendor about an application they are developing. It
involves running ADAM instances on XP Pro machines (laptops) that replicate
with a centralised ADAM instance running on W2K3. I don't have further
details at this stage, but I believe the they are planning to use the local
ADAM instance to authenticate laptop users to an application when they are
off-line.
In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set. I had always understool ADAM on XP to be used for a
personal data store (
http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true
).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| dmitrig@xxxx.yyy
| | 10/05/2006 3:18 AM |
| ADAM on XP is no different from ADAM on w2k3 security-wise. The big
differences are that it is throttled somewhat perf-wise, and also
there's no auditing.
I do not see any serious security problems with this approach. Unless
you are thinking that somebody steals the laptop, cracks the DIT open
and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In
any case, these are ADAM users, not windows...
The only problem will be replication -- instances will complain that
they are unable to replicate when in offline mode. Perhaps this can be
resolved by creating a separate site for every instance and setting up
manual links to the hub instance. Hmm. Not sure. I guess it depends on
how long they'll stay offline. KCC is not really optimized to work well
in such scenarios.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, October 04, 2006 7:34 PM
To: activedir@xxxxxxxxxxxxx
Subject: [ActiveDir] ADAM on XP Pro
I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3. I don't
have further details at this stage, but I believe the they are planning
to use the local ADAM instance to authenticate laptop users to an
application when they are off-line.
In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set. I had always understool ADAM on XP to be used for a
personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45
77-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| Tony
Posts:53
| | 10/05/2006 3:32 AM |
| Thanks Dmitri
Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options (e.g. hardware encryption).
I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-)
Tony
---------- Original Message ----------------------------------
From: Dmitri Gavrilov
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
Date: Wed, 4 Oct 2006 20:18:28 -0700
ADAM on XP is no different from ADAM on w2k3 security-wise. The big
differences are that it is throttled somewhat perf-wise, and also
there's no auditing.
I do not see any serious security problems with this approach. Unless
you are thinking that somebody steals the laptop, cracks the DIT open
and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In
any case, these are ADAM users, not windows...
The only problem will be replication -- instances will complain that
they are unable to replicate when in offline mode. Perhaps this can be
resolved by creating a separate site for every instance and setting up
manual links to the hub instance. Hmm. Not sure. I guess it depends on
how long they'll stay offline. KCC is not really optimized to work well
in such scenarios.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, October 04, 2006 7:34 PM
To: activedir@xxxxxxxxxxxxx
Subject: [ActiveDir] ADAM on XP Pro
I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3. I don't
have further details at this stage, but I believe the they are planning
to use the local ADAM instance to authenticate laptop users to an
application when they are off-line.
In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set. I had always understool ADAM on XP to be used for a
personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45
77-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| idan
Posts:0
| | 10/05/2006 4:18 AM |
| Hi Tony,
I would think the only security risk with doing this is that if a laptop
is stolen, the entire contents of the directory, rather than just this
user's credentials, could be compromised.
In today's regulatory environment, where full disclosure of compromises,
including theft of data-laden hardware or media, is often legally
mandated, this could be disastrous. Obviously, I could be over-reaching
here - I don't know anything about the organization and therefore about
relevant legislation, but you should think about that possibility,
if for no other reason than to assure yourself that it does not apply.
The operational impact of replicating ADAM all over the place is
that you're dropping a large-ish piece of software on many workstations,
and they don't really need it. There may also be more replication
traffic and load on the central server than you might want.
A simpler solution, I would think, would be for this app to cache
on disk an encrypted copy of the current user's LDAP object whenever
the user successfully authenticates to the central ADAM. If the user
wants to use the app offline, the app would detect the fact that the
hardware it's on happens to be offline at startup (that's easy to do),
and authenticate the user against the disk image of the last user object.
In case your vendor doesn't know how to tell whether a machine is online
-- give them this C++ code snippet to get them started:
// get the list of interfaces
rcode = WSAIoctl( s, SIO_GET_INTERFACE_LIST,
NULL, 0,
(LPVOID) iInfo, sizeof(INTERFACE_INFO) * MAX_INTERFACES,
&numBytes, NULL, NULL );
This approach is roughly how cached credentials in Windows allow users
to sign onto their laptops with domain credentials while disconnected.
Bottom line: this method is pretty simple, doesn't require any special
software running on the PC, and limits the impact of a theft or compromise
of the user's workstation.
Good luck,
--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
Idan_Shoham@xxxxxxxxxxx
http://mtechIT.com
****************************************************************************
Please visit M-Tech at the Gartner Symposium ITxpo:
At the WDW Dolphin Hotel near Orlando, FL, October 8-13, Booth #1428
http://www.gartner.com/it/sym/2006_/sym16/sym16_home.jsp
****************************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful.
****************************************************************************
On Wed, 4 Oct 2006, Tony Murray wrote:
I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3. I don't have
further details at this stage, but I believe the they are planning to use
the local ADAM instance to authenticate laptop users to an application
when they are off-line.
In addition to security concerns with this approach, I'm
not really comfortable with the idea of ADAM instances on
laptops being part of a configuration set. I had always
understool ADAM on XP to be used for a personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| amulnick
Posts:142
| | 10/05/2006 6:06 AM |
| | Message body was not found. | | | |
| lef
Posts:21
| | 10/05/2006 8:01 AM |
| I had an exchange with a vendor who was planning on a similar approach:
http://groups.google.co.uk/group/microsoft.public.windows.server.active_
directory/browse_frm/thread/83248bf50f9f76ec/2aac67203f612e2a
my summary, see the end of the archived thread, was that they
should talk to Microsoft about this use of the replication model
as it did not seem appropriate use of a multimaster replication
model to me. Even if we had RO ADAM instances I still think it
would be a pain to manage... let us know how you get on
Thanks
Lee Flight
On Wed, 4 Oct 2006, Tony Murray wrote:
Thanks Dmitri
Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options (e.g. hardware encryption).
I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-)
Tony
---------- Original Message ----------------------------------
From: Dmitri Gavrilov
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
Date: Wed, 4 Oct 2006 20:18:28 -0700
ADAM on XP is no different from ADAM on w2k3 security-wise. The big
differences are that it is throttled somewhat perf-wise, and also
there's no auditing.
I do not see any serious security problems with this approach. Unless
you are thinking that somebody steals the laptop, cracks the DIT open
and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In
any case, these are ADAM users, not windows...
The only problem will be replication -- instances will complain that
they are unable to replicate when in offline mode. Perhaps this can be
resolved by creating a separate site for every instance and setting up
manual links to the hub instance. Hmm. Not sure. I guess it depends on
how long they'll stay offline. KCC is not really optimized to work well
in such scenarios.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, October 04, 2006 7:34 PM
To: activedir@xxxxxxxxxxxxx
Subject: [ActiveDir] ADAM on XP Pro
I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3. I don't
have further details at this stage, but I believe the they are planning
to use the local ADAM instance to authenticate laptop users to an
application when they are off-line.
In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set. I had always understool ADAM on XP to be used for a
personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45
77-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
| listmail
Posts:490
| | 10/10/2006 10:33 AM |
| My first thought is yuck.
My second thought is this is insecure from multiple angles and really a poor
use of ADAM.
Sounds like an ultra poor attempt at making a datacenter app work on the
road.
I like where Idan's was going... Some sort of local cached password for the
local version of the app. Once back online and talking to the "real" app the
cache gets refreshed.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, October 04, 2006 10:34 PM
To: activedir@xxxxxxxxxxxxx
Subject: [ActiveDir] ADAM on XP Pro
I've been talking to a vendor about an application they are developing. It
involves running ADAM instances on XP Pro machines (laptops) that replicate
with a centralised ADAM instance running on W2K3. I don't have further
details at this stage, but I believe the they are planning to use the local
ADAM instance to authenticate laptop users to an application when they are
off-line.
In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set. I had always understool ADAM on XP to be used for a
personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-b
f7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
|
|