Global Information Assurance Certification Paper
Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec
Is Single Sign on a Security Risk? Introduction
ull rig ht s.
Michael Kelly Version 1.2e
2,
Au
th
or
re
tai ns f
There used to be a time when the majority of computer operators and people alike maintained one user ID and password. With the introduction of platforms such as Microsoft Windows, and with the continual lowering of hardware costs capable of hosting Unix systems. no longer case.DE3D ManyF8B5 of the06E4 applications hosted by Key fingerprint = AF19 This FA27is2F94 998Dthe FDB5 A169 4E46 high end systems like Mainframes have been distributed amongst multiple client server systems. If this didn’t cause organizations enough foods for thought, lets add ecommerce to the equation. With each different OS, Application and security database introduced comes its own unique group of issues. Every day that passes organizations change not only the technology they use but also the people that maintain the environment. This extremely fast progression has introduced many concerns for organizations large and small.
-2
00
What is the issues progression has introduced?
te
20
00
It is inevitable that with progression comes some amount of pain. Without understanding all the issues it would be very difficult to investigate an SSO Solution. Once the issues are understood it will be easier to determine if SSO is a security risk or a technology that helps alleviate security risks. Some of these issues are.
In
sti
tu
Introduction of new OS, Application and Security Databases Social Engineering Continual changing of human resources Security
NS
Introduction of new OS, Application and Security Databases
©
SA
There are hundreds if not a thousand of different OS/Applications and Security databases within the industry today. Many organizations have internally developed applications that authenticate to proprietary databases. As it is rare that all these different components are managed and maintained by the same (Ever changing) department, it is less likely that standardization has taken place. User name and password restrictions would all benefit from standardization. The many user ids and passwords that users have to manage causes confusion. A good percentage of a users time is spent login onto system resources. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 “The Securities Industries Association, based in Washington, D.C., found that users spend an average of 44.4 hours a year logging on to (an average of) four applications a day.”
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
www-4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html
ull rig ht s.
More and more organizations are moving towards e-commerce. Providing services and product to customer’s worldwide introduces an even greater need for user control. Many of the databases previously used for internal applications only have now been web enabled. It is important that a mechanism be in place to allow customer to transparently navigate across multiple web servers.
tai ns f
Social engineering
or
re
With the introduction of so many systems it is possible that users will forget their user id or password and= eventually themselves out.DE3D Unfortunately thisA169 happens Key fingerprint AF19 FA27lock 2F94 998D FDB5 F8B5 06E4 4E46frequently. Help desk personnel are overwhelmed with the amount of calls regarding password reset and account activation.
00
http://www.courion.com/solutions/index.asp
2,
Au
th
“META Group reports that 15-30% of all support calls are caused by forgotten or expired passwords. The cost to manually reset passwords ranges from $15-30 per call, and on average, users call help desks with a password problem 4 times a year..”
te
20
00
-2
This can increase the possibility of an individual social engineering the Help Desk. Under high stress people are less likely to follow the guidelines that are in place. Guidelines that dictate being absolutely positive the person that is requesting the password reset is who they say they are. Solutions have been developed to reduce the security risk of social engineering.
NS
In
sti
tu
These types of systems allow end users to answer a variety of questions through automated telephone services. Once the correct response has been entered the account is reset and in some cases e-mailed back to the end user. These types of systems are widely used within the Internet community. If you forget your password on one of the popular search engine e-mail systems, you can select to have a new one created. Answering the correct question will reveal a new password.
SA
Continual changing or human resources
©
The technology is not the only frequent change within an organization. People come and go and along with that come the variety of user accounts across the enterprise. As users have so many accounts it becomes extremely hard for administrators to track and deactivate/delete accounts as people leave the organization. Key Security fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Each operating system and application has its own set of security requirements for both user id and password. Some security databases by default requires that the first character
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
ull rig ht s.
of the password be a numeric. Other operating systems will not allow repeating characters within a password. For example AAMIKE would fail because the letter A follows the first letter A. As many operating systems have such a diverse set of restrictions it is possible that organizations will remove the restrictions (Where possible) to reduce the amount of user frustration and calls to the help desk. This also is in an effort to reduce the amount of sticky notes taped to monitors containing the user id and password. Security often competes with convenience in many different areas within an organization. Reducing password restrictions for end user convenience may or may not be an acceptable sacrifice.
tai ns f
What is Single Sign On?
Au
th
or
re
SSOfingerprint in short is =theAF19 ability to authenticate never have06E4 to repeat process for Key FA27 2F94 998D once FDB5and DE3D F8B5 A169the4E46 the duration of the session. Many solutions are available throughout the market that provides SSO capabilities. As a whole they all provide some form of Authentication, Authorization, Access control and password synchronization. SSO solutions are available for both organizations moving towards e-commerce as well as enterprise networked environments.
2,
Authentication and Authorization
tu
te
20
00
-2
00
Authentication is the process of a user being identified as who they say they are. SSO applications either take advantage of the existing databases within the organizations or require the implementation of a proprietary database. Software vendors such as Novell and Microsoft have developed highly scalable Databases (Also known as Directories) that can be implemented into existing environments. These databases provide central repositories for user information and can be integrated into some of the available SSO solutions. Once a user has successfully authenticated they are then authorized to access various system resources. There are different types of authentications
SA
NS
In
sti
Single Factor—Single factor authentication is when the user is only required to produce one piece of information. The most common single factor authentication method would be passwords (Something you know). Biometrics (Something you are) although considered more secure than a password, when used independently it is still referred to as Single Factor Authentication.
©
Two Factor —Two factor authentication is the combination of two single factor authentications. During an authentication process if a user is asked for both his password (Something you know) and a digital certificate (Something you own) then this would become a two factor authentication. Typically SSO products contain a central server. The central server is responsible for Key authenticating fingerprintthe = AF19 user against FA27 2F94 one of 998D the security FDB5 DE3D databases F8B5within 06E4 the A169 organization. 4E46 This is usually the database where all the users accounts exist. Security databases such as Windows NT SAM, Active Directory and IBM’s RACF are common authentication
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
options with SSO Products. These all provide single factor authentication. Extending security databases to support tokens and PKI would provide two factor authentication.
tai ns f
ull rig ht s.
Within an enterprise environment users authenticate to the central server with the aid of client code. Once the user has successfully authenticated to the central server the network logon is allowed to continue.
NS
In
sti
tu
te
20
00
-2
00
2,
Au
th
or
re
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SA
Access Control
©
The level of access control that SSO can provide will differ depending on the solution as well as the intended end users. SSO solutions for Web Servers typically provide content protection for web-enabled applications. After a user has successfully authenticated they are then allowed to access areas of the web server that the associated roll permits. A role is a list of ACL associated with one or more user Id’s. Once authenticated, the user is then granted a session id. The Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 session can be used to validate the user as they move about multiple web servers without requiring multiple authentications. This provides SSO for Web Users.
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
SSO products achieve transparent sign on in one of two ways.
ull rig ht s.
Users of corporate networks are presented with a graphical interface of applications they are allowed to access. The user points and clicks the application they want to launch. The credentials for that user (e.g. Non standardized user id) and application information are retrieved from the central server and provided to the application.
or
re
tai ns f
Scripted—Scripted Sign On is the process of playing keystrokes back to an application. When the application is launched, the keystrokes are played back to the application as if the user was typing it in. The user Id and passwords are stored in the scripts as variables. Storing critical information as variables allows one script to be shared by many users for the same application. The variables values are pulled down from the central server at application launch. Scripted has to be initiated by the06E4 end user. Key fingerprint = AF19 FA27Sign 2F94On998D FDB5 DE3D F8B5 A169Automatically 4E46 launching the applications at logon would create multiple unnecessary active sessions to the applications
00
2,
Au
th
Integrated—Integrated SSO allows for tight integration with applications. Applications that have been developed to integrate with SSO allow for information to be passed about the user without the need for scripts. The process is invisible to the end user. In addition the SDK’s provided with SSO solutions allow for the same integration with proprietary applications.
-2
Password\account status Synchronization
tu
te
20
00
Password synchronization is the ability to synchronize passwords around the corporate network. This is a vital aspect for SSO and can be considered the Back Bone of the solution. Passwords are captured from one or more security databases and then distribute vie the central server around the enterprise network.
©
SA
NS
In
sti
The central server is typically the controlling component of a SSO solution. Disabling accounts from the central server triggers a chain of events that propagate down to the desired systems disabling the user account. The propagation of account status would also occur if the maximum bad logon count was reached.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
ull rig ht s. tai ns f
00
-2
00
2,
Au
th
or
re
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
Conclusion
In
sti
tu
te
Security Personnel become concerned that SSO and password synchronization creates a security risk. If the password is the same across all security databases then the users account is only as secure as the weakest operating systems security. There are many aspects of SSO that counteract the concern. Less Secured systems can be excluded from the SSO Enterprise environment. Many of the solutions available are multi tier by design and don’t require all users or systems to participate. Careful consideration can be given to who and what is included within the SSO Enterprise.
•
Administrators are able to enforce more stringent password restrictions across the environment from the central server. Restrictions such as minimum length, password expiry time and invalid dictionary lists. Individual OS and application restrictions can be brought inline with the central servers configuration.
©
SA
NS
•
Key•fingerprint = AF19 FA27 2F94reduces 998D FDB5 F8B5With 06E4only A169 Password Synchronization users DE3D confusion. one4E46 password to remember it is less likely that the password will be wrote down on a piece of paper.
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
SSO products that allow end users to reset the password after successfully answering a variety of questions reduces help desk cost and risk of social engineering.
•
Employees that leave organizations can quickly be deactivated on all systems from one location.
•
Authentication to less secure operating systems can be enhanced with two factor authentication.
ull rig ht s.
•
tai ns f
•
Au
th
or
re
With little intervention required to sign on to applications the process is less likely to fail and cause volume helpdesk calls Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Systems are vulnerable to attack. The strongest security databases have weaknesses that can be exploited. Host based and Network based vulnerability assessment tools help to ensure that system configuration is inline with internal policy’s. SSO facilitates the authentication process and removes a good deal of pain from end users, helpdesk and administrators.
-2
00
2,
SSO, Vulnerability assessment and intrusion detection can all help to improve the level of security within an organization. After all, Security is all about layers.
00
http://www.eu.microsoft.com/windows2000/sfu/psync.asp
20
http://www.novell.com/products/nds/details.html
tu
te
http://www.networkcomputing.com/1006/1006f12.html
In
sti
http://www4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html
NS
http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp
SA
http://www.courion.com/solutions/index.asp
©
http://www.fipass.com/corporate/authentication.asp http://www.win2000mag.com/Articles/Index.cfm?ArticleID=526 http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=53&PID=3449 195 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=55&PID=3449 195#sso
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
http://www.blockade.com/products/blk_prod_ov.pdf
tai ns f
ull rig ht s.
http://www.hut.fi/~totervo/netsec98/sso.html
©
SA
NS
In
sti
tu
te
20
00
-2
00
2,
Au
th
or
re
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
Last Updated: January 29th, 2017
Upcoming Training SANS vLive - SEC401: Security Essentials Bootcamp Style
SEC401 - 201701,
Jan 30, 2017 - Mar 08, 2017
vLive
Community SANS Albany SEC401
Albany, NY
Feb 06, 2017 - Feb 11, 2017 Community SANS
SANS Southern California - Anaheim 2017
Anaheim, CA
Feb 06, 2017 - Feb 11, 2017
Community SANS Columbia SEC401
Columbia, MD
Feb 13, 2017 - Feb 18, 2017 Community SANS
SANS Munich Winter 2017
Munich, Germany
Feb 13, 2017 - Feb 18, 2017
Community SANS Seattle SEC401
Seattle, WA
Feb 13, 2017 - Feb 18, 2017 Community SANS
SANS Scottsdale 2017 - SEC401: Security Essentials Bootcamp Style SANS Scottsdale 2017
Scottsdale, AZ
Feb 20, 2017 - Feb 25, 2017
vLive
Scottsdale, AZ
Feb 20, 2017 - Feb 25, 2017
Live Event
Mentor Session - SEC401
New York, NY
Feb 21, 2017 - Mar 23, 2017
Mentor
SANS Dallas 2017
Dallas, TX
Feb 27, 2017 - Mar 04, 2017
Live Event
Community SANS Minneapolis SEC401
Minneapolis, MN
Feb 27, 2017 - Mar 04, 2017 Community SANS
SANS San Jose 2017
San Jose, CA
Mar 06, 2017 - Mar 11, 2017
Community SANS Chicago SEC401
Chicago, IL
Mar 06, 2017 - Mar 11, 2017 Community SANS
SANS Secure Canberra 2017
Canberra, Australia
Mar 13, 2017 - Mar 25, 2017
Live Event
SANS Secure Singapore 2017
Singapore, Singapore
Mar 13, 2017 - Mar 25, 2017
Live Event
SANS London March 2017
Mar 13, 2017 - Mar 18, 2017
Live Event
SANS Tysons Corner Spring 2017
London, United Kingdom McLean, VA
Mar 20, 2017 - Mar 25, 2017
Live Event
Mentor Session - SEC401
Orange County, CA
Mar 21, 2017 - Apr 20, 2017
Mentor
SANS Pen Test Austin 2017 - SEC401: Security Essentials Bootcamp Style SANS Pen Test Austin 2017
Austin, TX
Mar 27, 2017 - Apr 01, 2017
vLive
Austin, TX
Mar 27, 2017 - Apr 01, 2017
Live Event
Mentor Session - SEC401
Milwaukee, WI
Mar 29, 2017 - May 31, 2017
Mentor
Community SANS San Francisco SEC401
San Francisco, CA
Apr 03, 2017 - Apr 08, 2017 Community SANS
SANS 2017
Orlando, FL
Apr 07, 2017 - Apr 14, 2017
Live Event
SANS vLive - SEC401: Security Essentials Bootcamp Style
SEC401 - 201704,
Apr 11, 2017 - May 18, 2017
vLive
SANS Baltimore Spring 2017
Baltimore, MD
Apr 24, 2017 - Apr 29, 2017
Live Event
Community SANS Norfolk SEC401
Norfolk, VA
Apr 24, 2017 - Apr 29, 2017 Community SANS
Mentor Session - SEC401
Edmonton, AB
Apr 26, 2017 - Jun 07, 2017
Community SANS Salt Lake City SEC401
Salt Lake City, UT
May 01, 2017 - May 06, 2017 Community SANS
SANS Riyadh 2017
Riyadh, Saudi Arabia
May 06, 2017 - May 11, 2017
Community SANS Las Vegas SEC401
Las Vegas, NV
May 08, 2017 - May 13, 2017 Community SANS
SANS Security West 2017
San Diego, CA
May 09, 2017 - May 18, 2017
Live Event
Live Event
Live Event
Mentor
Live Event
Live Event