Global Information Assurance Certification Paper

Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.

Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec

Is Single Sign on a Security Risk? Introduction

ull rig ht s.

Michael Kelly Version 1.2e

2,

Au

th

or

re

tai ns f

There used to be a time when the majority of computer operators and people alike maintained one user ID and password. With the introduction of platforms such as Microsoft Windows, and with the continual lowering of hardware costs capable of hosting Unix systems. no longer case.DE3D ManyF8B5 of the06E4 applications hosted by Key fingerprint = AF19 This FA27is2F94 998Dthe FDB5 A169 4E46 high end systems like Mainframes have been distributed amongst multiple client server systems. If this didn’t cause organizations enough foods for thought, lets add ecommerce to the equation. With each different OS, Application and security database introduced comes its own unique group of issues. Every day that passes organizations change not only the technology they use but also the people that maintain the environment. This extremely fast progression has introduced many concerns for organizations large and small.

-2

00

What is the issues progression has introduced?

te

20

00

It is inevitable that with progression comes some amount of pain. Without understanding all the issues it would be very difficult to investigate an SSO Solution. Once the issues are understood it will be easier to determine if SSO is a security risk or a technology that helps alleviate security risks. Some of these issues are.

In

sti

tu

Introduction of new OS, Application and Security Databases Social Engineering Continual changing of human resources Security

NS

Introduction of new OS, Application and Security Databases

©

SA

There are hundreds if not a thousand of different OS/Applications and Security databases within the industry today. Many organizations have internally developed applications that authenticate to proprietary databases. As it is rare that all these different components are managed and maintained by the same (Ever changing) department, it is less likely that standardization has taken place. User name and password restrictions would all benefit from standardization. The many user ids and passwords that users have to manage causes confusion. A good percentage of a users time is spent login onto system resources. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 “The Securities Industries Association, based in Washington, D.C., found that users spend an average of 44.4 hours a year logging on to (an average of) four applications a day.”

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

www-4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html

ull rig ht s.

More and more organizations are moving towards e-commerce. Providing services and product to customer’s worldwide introduces an even greater need for user control. Many of the databases previously used for internal applications only have now been web enabled. It is important that a mechanism be in place to allow customer to transparently navigate across multiple web servers.

tai ns f

Social engineering

or

re

With the introduction of so many systems it is possible that users will forget their user id or password and= eventually themselves out.DE3D Unfortunately thisA169 happens Key fingerprint AF19 FA27lock 2F94 998D FDB5 F8B5 06E4 4E46frequently. Help desk personnel are overwhelmed with the amount of calls regarding password reset and account activation.

00

http://www.courion.com/solutions/index.asp

2,

Au

th

“META Group reports that 15-30% of all support calls are caused by forgotten or expired passwords. The cost to manually reset passwords ranges from $15-30 per call, and on average, users call help desks with a password problem 4 times a year..”

te

20

00

-2

This can increase the possibility of an individual social engineering the Help Desk. Under high stress people are less likely to follow the guidelines that are in place. Guidelines that dictate being absolutely positive the person that is requesting the password reset is who they say they are. Solutions have been developed to reduce the security risk of social engineering.

NS

In

sti

tu

These types of systems allow end users to answer a variety of questions through automated telephone services. Once the correct response has been entered the account is reset and in some cases e-mailed back to the end user. These types of systems are widely used within the Internet community. If you forget your password on one of the popular search engine e-mail systems, you can select to have a new one created. Answering the correct question will reveal a new password.

SA

Continual changing or human resources

©

The technology is not the only frequent change within an organization. People come and go and along with that come the variety of user accounts across the enterprise. As users have so many accounts it becomes extremely hard for administrators to track and deactivate/delete accounts as people leave the organization. Key Security fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Each operating system and application has its own set of security requirements for both user id and password. Some security databases by default requires that the first character

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

ull rig ht s.

of the password be a numeric. Other operating systems will not allow repeating characters within a password. For example AAMIKE would fail because the letter A follows the first letter A. As many operating systems have such a diverse set of restrictions it is possible that organizations will remove the restrictions (Where possible) to reduce the amount of user frustration and calls to the help desk. This also is in an effort to reduce the amount of sticky notes taped to monitors containing the user id and password. Security often competes with convenience in many different areas within an organization. Reducing password restrictions for end user convenience may or may not be an acceptable sacrifice.

tai ns f

What is Single Sign On?

Au

th

or

re

SSOfingerprint in short is =theAF19 ability to authenticate never have06E4 to repeat process for Key FA27 2F94 998D once FDB5and DE3D F8B5 A169the4E46 the duration of the session. Many solutions are available throughout the market that provides SSO capabilities. As a whole they all provide some form of Authentication, Authorization, Access control and password synchronization. SSO solutions are available for both organizations moving towards e-commerce as well as enterprise networked environments.

2,

Authentication and Authorization

tu

te

20

00

-2

00

Authentication is the process of a user being identified as who they say they are. SSO applications either take advantage of the existing databases within the organizations or require the implementation of a proprietary database. Software vendors such as Novell and Microsoft have developed highly scalable Databases (Also known as Directories) that can be implemented into existing environments. These databases provide central repositories for user information and can be integrated into some of the available SSO solutions. Once a user has successfully authenticated they are then authorized to access various system resources. There are different types of authentications

SA

NS

In

sti

Single Factor—Single factor authentication is when the user is only required to produce one piece of information. The most common single factor authentication method would be passwords (Something you know). Biometrics (Something you are) although considered more secure than a password, when used independently it is still referred to as Single Factor Authentication.

©

Two Factor —Two factor authentication is the combination of two single factor authentications. During an authentication process if a user is asked for both his password (Something you know) and a digital certificate (Something you own) then this would become a two factor authentication. Typically SSO products contain a central server. The central server is responsible for Key authenticating fingerprintthe = AF19 user against FA27 2F94 one of 998D the security FDB5 DE3D databases F8B5within 06E4 the A169 organization. 4E46 This is usually the database where all the users accounts exist. Security databases such as Windows NT SAM, Active Directory and IBM’s RACF are common authentication

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

options with SSO Products. These all provide single factor authentication. Extending security databases to support tokens and PKI would provide two factor authentication.

tai ns f

ull rig ht s.

Within an enterprise environment users authenticate to the central server with the aid of client code. Once the user has successfully authenticated to the central server the network logon is allowed to continue.

NS

In

sti

tu

te

20

00

-2

00

2,

Au

th

or

re

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

SA

Access Control

©

The level of access control that SSO can provide will differ depending on the solution as well as the intended end users. SSO solutions for Web Servers typically provide content protection for web-enabled applications. After a user has successfully authenticated they are then allowed to access areas of the web server that the associated roll permits. A role is a list of ACL associated with one or more user Id’s. Once authenticated, the user is then granted a session id. The Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 session can be used to validate the user as they move about multiple web servers without requiring multiple authentications. This provides SSO for Web Users.

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

SSO products achieve transparent sign on in one of two ways.

ull rig ht s.

Users of corporate networks are presented with a graphical interface of applications they are allowed to access. The user points and clicks the application they want to launch. The credentials for that user (e.g. Non standardized user id) and application information are retrieved from the central server and provided to the application.

or

re

tai ns f

Scripted—Scripted Sign On is the process of playing keystrokes back to an application. When the application is launched, the keystrokes are played back to the application as if the user was typing it in. The user Id and passwords are stored in the scripts as variables. Storing critical information as variables allows one script to be shared by many users for the same application. The variables values are pulled down from the central server at application launch. Scripted has to be initiated by the06E4 end user. Key fingerprint = AF19 FA27Sign 2F94On998D FDB5 DE3D F8B5 A169Automatically 4E46 launching the applications at logon would create multiple unnecessary active sessions to the applications

00

2,

Au

th

Integrated—Integrated SSO allows for tight integration with applications. Applications that have been developed to integrate with SSO allow for information to be passed about the user without the need for scripts. The process is invisible to the end user. In addition the SDK’s provided with SSO solutions allow for the same integration with proprietary applications.

-2

Password\account status Synchronization

tu

te

20

00

Password synchronization is the ability to synchronize passwords around the corporate network. This is a vital aspect for SSO and can be considered the Back Bone of the solution. Passwords are captured from one or more security databases and then distribute vie the central server around the enterprise network.

©

SA

NS

In

sti

The central server is typically the controlling component of a SSO solution. Disabling accounts from the central server triggers a chain of events that propagate down to the desired systems disabling the user account. The propagation of account status would also occur if the maximum bad logon count was reached.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

ull rig ht s. tai ns f

00

-2

00

2,

Au

th

or

re

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

20

Conclusion

In

sti

tu

te

Security Personnel become concerned that SSO and password synchronization creates a security risk. If the password is the same across all security databases then the users account is only as secure as the weakest operating systems security. There are many aspects of SSO that counteract the concern. Less Secured systems can be excluded from the SSO Enterprise environment. Many of the solutions available are multi tier by design and don’t require all users or systems to participate. Careful consideration can be given to who and what is included within the SSO Enterprise.

•

Administrators are able to enforce more stringent password restrictions across the environment from the central server. Restrictions such as minimum length, password expiry time and invalid dictionary lists. Individual OS and application restrictions can be brought inline with the central servers configuration.

©

SA

NS

•

Key•fingerprint = AF19 FA27 2F94reduces 998D FDB5 F8B5With 06E4only A169 Password Synchronization users DE3D confusion. one4E46 password to remember it is less likely that the password will be wrote down on a piece of paper.

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

SSO products that allow end users to reset the password after successfully answering a variety of questions reduces help desk cost and risk of social engineering.

•

Employees that leave organizations can quickly be deactivated on all systems from one location.

•

Authentication to less secure operating systems can be enhanced with two factor authentication.

ull rig ht s.

•

tai ns f

•

Au

th

or

re

With little intervention required to sign on to applications the process is less likely to fail and cause volume helpdesk calls Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Systems are vulnerable to attack. The strongest security databases have weaknesses that can be exploited. Host based and Network based vulnerability assessment tools help to ensure that system configuration is inline with internal policy’s. SSO facilitates the authentication process and removes a good deal of pain from end users, helpdesk and administrators.

-2

00

2,

SSO, Vulnerability assessment and intrusion detection can all help to improve the level of security within an organization. After all, Security is all about layers.

00

http://www.eu.microsoft.com/windows2000/sfu/psync.asp

20

http://www.novell.com/products/nds/details.html

tu

te

http://www.networkcomputing.com/1006/1006f12.html

In

sti

http://www4.ibm.com/software/network/globalsignon/library/whitepapers/overview.html

NS

http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp

SA

http://www.courion.com/solutions/index.asp

©

http://www.fipass.com/corporate/authentication.asp http://www.win2000mag.com/Articles/Index.cfm?ArticleID=526 http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=53&PID=3449 195 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=55&PID=3449 195#sso

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

http://www.blockade.com/products/blk_prod_ov.pdf

tai ns f

ull rig ht s.

http://www.hut.fi/~totervo/netsec98/sso.html

©

SA

NS

In

sti

tu

te

20

00

-2

00

2,

Au

th

or

re

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

Author retains full rights.

Last Updated: January 29th, 2017

Upcoming Training SANS vLive - SEC401: Security Essentials Bootcamp Style

SEC401 - 201701,

Jan 30, 2017 - Mar 08, 2017

vLive

Community SANS Albany SEC401

Albany, NY

Feb 06, 2017 - Feb 11, 2017 Community SANS

SANS Southern California - Anaheim 2017

Anaheim, CA

Feb 06, 2017 - Feb 11, 2017

Community SANS Columbia SEC401

Columbia, MD

Feb 13, 2017 - Feb 18, 2017 Community SANS

SANS Munich Winter 2017

Munich, Germany

Feb 13, 2017 - Feb 18, 2017

Community SANS Seattle SEC401

Seattle, WA

Feb 13, 2017 - Feb 18, 2017 Community SANS

SANS Scottsdale 2017 - SEC401: Security Essentials Bootcamp Style SANS Scottsdale 2017

Scottsdale, AZ

Feb 20, 2017 - Feb 25, 2017

vLive

Scottsdale, AZ

Feb 20, 2017 - Feb 25, 2017

Live Event

Mentor Session - SEC401

New York, NY

Feb 21, 2017 - Mar 23, 2017

Mentor

SANS Dallas 2017

Dallas, TX

Feb 27, 2017 - Mar 04, 2017

Live Event

Community SANS Minneapolis SEC401

Minneapolis, MN

Feb 27, 2017 - Mar 04, 2017 Community SANS

SANS San Jose 2017

San Jose, CA

Mar 06, 2017 - Mar 11, 2017

Community SANS Chicago SEC401

Chicago, IL

Mar 06, 2017 - Mar 11, 2017 Community SANS

SANS Secure Canberra 2017

Canberra, Australia

Mar 13, 2017 - Mar 25, 2017

Live Event

SANS Secure Singapore 2017

Singapore, Singapore

Mar 13, 2017 - Mar 25, 2017

Live Event

SANS London March 2017

Mar 13, 2017 - Mar 18, 2017

Live Event

SANS Tysons Corner Spring 2017

London, United Kingdom McLean, VA

Mar 20, 2017 - Mar 25, 2017

Live Event

Mentor Session - SEC401

Orange County, CA

Mar 21, 2017 - Apr 20, 2017

Mentor

SANS Pen Test Austin 2017 - SEC401: Security Essentials Bootcamp Style SANS Pen Test Austin 2017

Austin, TX

Mar 27, 2017 - Apr 01, 2017

vLive

Austin, TX

Mar 27, 2017 - Apr 01, 2017

Live Event

Mentor Session - SEC401

Milwaukee, WI

Mar 29, 2017 - May 31, 2017

Mentor

Community SANS San Francisco SEC401

San Francisco, CA

Apr 03, 2017 - Apr 08, 2017 Community SANS

SANS 2017

Orlando, FL

Apr 07, 2017 - Apr 14, 2017

Live Event

SANS vLive - SEC401: Security Essentials Bootcamp Style

SEC401 - 201704,

Apr 11, 2017 - May 18, 2017

vLive

SANS Baltimore Spring 2017

Baltimore, MD

Apr 24, 2017 - Apr 29, 2017

Live Event

Community SANS Norfolk SEC401

Norfolk, VA

Apr 24, 2017 - Apr 29, 2017 Community SANS

Mentor Session - SEC401

Edmonton, AB

Apr 26, 2017 - Jun 07, 2017

Community SANS Salt Lake City SEC401

Salt Lake City, UT

May 01, 2017 - May 06, 2017 Community SANS

SANS Riyadh 2017

Riyadh, Saudi Arabia

May 06, 2017 - May 11, 2017

Community SANS Las Vegas SEC401

Las Vegas, NV

May 08, 2017 - May 13, 2017 Community SANS

SANS Security West 2017

San Diego, CA

May 09, 2017 - May 18, 2017

Live Event

Live Event

Live Event

Mentor

Live Event

Live Event