• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hitachi ID Password Manager Security Analysis
 

Hitachi ID Password Manager Security Analysis

on

  • 21,701 views

Organizations that either are considering deployment of Hitachi ID Password Manager or have already deployed it need to understand its security implications. ...

Organizations that either are considering deployment of Hitachi ID Password Manager or have already deployed it need to understand its security implications.

Hitachi ID Password Manager impacts authentication processes and standards. This document describes this impact, and how to ensure that it is a positive change.

Hitachi ID Password Manager is also a sensitive part of an organization's IT infrastructure, and consequently must be defended by strong security measures. The technology used by Hitachi ID Password Manager to protect against intrusions, as well as best practices to deploy that technology, are described here.

The remainder of this paper is organized into sections that describe challenges specific to managing passwords for mobile users, and how Hitachi ID Password Manager addresses each problem.

What is Hitachi ID Password Manager?
A brief description of Hitachi ID Password Manager, to give context to the subsequent sections.

Protected assets
A list of what information security, as implemented in Hitachi ID Password Manager, should protect.

Defining security violations
Some specific security attacks that Hitachi ID Password Manager defenses must repel.

Impact on authentication processes
How the features and processes created by Hitachi ID Password Manager affect authentication to IT infrastructure generally in an organization.

Server defenses
How the Hitachi ID Password Manager server can and should be protected.

Communication defenses
How data transmitted to and from each Hitachi ID Password Manager server is protected.

Data protection
How data stored on each Hitachi ID Password Manager server is protected.

The secure kiosk account
How the optional secure kiosk account impacts the security of the network operating system where it is installed.

Statistics

Views

Total Views
21,701
Views on SlideShare
21,699
Embed Views
2

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 2

http://www.slashdocs.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Hitachi ID Password Manager Security Analysis Hitachi ID Password Manager Security Analysis Document Transcript

    • Hitachi ID Password Manager Security Analysis © 2014 Hitachi ID Systems, Inc. All rights reserved.
    • Organizations that either are considering deployment of Password Manager or have already deployed it need to understand its security implications. Password Manager impacts authentication processes and standards. This document describes this impact, and how to ensure that it is a positive change. Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must be defended by strong security measures. The technology used by Password Manager to protect against intrusions, as well as best practices to deploy that technology, are described here. Contents 1 Introduction 1 2 What is Hitachi ID Password Manager? 2 3 Protected Assets 3 4 Defining security violations 4 5 Impact on User Authentication 6 5.1 Password Problem Help Desk Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.3 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.4 Profile Enrollment Impacts Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6 Server Defenses 8 6.1 Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.3 Hitachi ID Password Manager Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7 Communication Defenses 14 8 Data protection 17 9 The Secure Kiosk Account 18 9.1 Protected Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2 Existing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2.1 Workstation Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2.2 Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 i
    • Password Manager Security Analysis 9.2.3 Network Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 9.3 Net New Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 10 Conclusions 21 © 2014 Hitachi ID Systems, Inc. All rights reserved.
    • Password Manager Security Analysis 1 Introduction Organizations that either are considering deployment of Hitachi ID Password Manager or have already deployed it need to understand its security implications. Password Manager impacts authentication processes and standards. This document describes this impact, and how to ensure that it is a positive change. Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must be defended by strong security measures. The technology used by Password Manager to protect against intrusions, as well as best practices to deploy that technology, are described here. The remainder of this paper is organized into sections that describe challenges specific to managing pass- words for mobile users, and how Password Manager addresses each problem. • What is Password Manager? A brief description of Password Manager, to give context to the subsequent sections. • Protected assets A list of what information security, as implemented in Password Manager, should protect. • Defining security violations Some specific security attacks that Password Manager defenses must repel. • Impact on authentication processes How the features and processes created by Password Manager affect authentication to IT infrastruc- ture generally in an organization. • Server defenses How the Password Manager server can and should be protected. • Communication defenses How data transmitted to and from each Password Manager server is protected. • Data protection How data stored on each Password Manager server is protected. • The secure kiosk account How the optional secure kiosk account impacts the security of the network operating system where it is installed. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
    • Password Manager Security Analysis 2 What is Password Manager? Hitachi ID Password Manager is an integrated solution for managing user credentials, across multiple sys- tems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign- on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: • Password synchronization, which reduces the incidence of password problems for users • Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk • Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: • A powerful password policy engine. • Effective user authentication, especially prior to password resets. • Password synchronization, to help eliminate written-down passwords. • Delegated password reset privileges for help desk staff. • Accountability for all password changes. • Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
    • Password Manager Security Analysis 3 Protected Assets IT security means protecting the availability of systems, the confidentiality of data, and the integrity of both processes and data. Hitachi ID Password Manager is designed to improve network security. It includes measures to protect: • The Password Manager server itself. • Sensitive data housed on the Password Manager server, including: – Target credentials to target systems, which the Password Manager server uses to attach to target systems and reset user passwords. – Support staff passwords, which may be used by Password Manager to authenticate help desk analysts. – Personal user data, which may be managed by Password Manager and used to authenticate users who access a self-service password reset. • Data transmitted by users to Password Manager, including answers to personal questions and pass- words. • Data transmitted from Password Manager to managed systems, including target credentials and user passwords. • Authorized access to managed systems. The Password Manager software is designed to safeguard all of these assets. Customers should take care, and follow best practices, to ensure that their deployments of Password Manager will likewise protect these assets. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
    • Password Manager Security Analysis 4 Defining security violations As mentioned in the previous section, Hitachi ID Password Manager is designed to protect a range of security assets. Password Manager is also designed to defeat specific attacks, targeted against: • User accounts / profiles: Access to Password Manager functions is protected using strong user authentication, intruder lockouts and security violation alarms. • The Password Manager web application: The Password Manager web user portal is implemented using the standard common gateway inter- face (CGI) mechanism, available on all web servers. CGI programs are exclusively responsible for accepting user input and displaying web pages. As such, the CGI programs may be attacked so need to incorporate strong protections. All Password Manager CGI programs use a standard string library to validate all inputs and protect against buffer overflow, SQL injection, cross site scripting and similar attacks. This is done by checking maximum input lengths, filtering out special characters and HTML codes, checking for valid formatting and value ranges, etc. • The Password Manager web server: Password Manager is compatible with a wide variety of web servers (Apache, SunONE, IIS). It uses only the RFC-compliant CGI mechanism in its host web server, and consequently does not require scripting engines, index services, dynamic HTML preprocessing or other web server modules which may contain known or latent security vulnerabilities. • The Password Manager host operating system: Password Manager relies on a very minimal set of operating system features, and administrators are encouraged to lock down the Password Manager server’s host operating system by removing all non-essential services and components. • Sensitive data managed by Password Manager: All sensitive data managed by Password Manager is encrypted. • Communication between users and Password Manager: All communication with users is encrypted, using HTTPS and a trusted third-party (Verisign, Thawte, etc.) SSL certificate. • Communication between Password Manager components on the network: All communication between Password Manager components, whether within the context of a single server or across the network, is encrypted using 128-bit AES, a shared key, mutual authentication, random session keys and block feedback. • Communication between Password Manager and target systems: Password Manager communicates with managed systems either using one of three methods: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
    • Password Manager Security Analysis 1. Using the target’s natively encrypted user administration protocol. 2. By installing a Password Manager agent on the target system, and encrypting communication between Password Manager components using a shared key. 3. By deploying a Password Manager proxy server adjacent to the target system, in a physically- secure co-location, and encrypting communication between the main Password Manager server and the proxy server using a shared key. In all three cases, communication is protected as it traverses vulnerable network media. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
    • Password Manager Security Analysis 5 Impact on User Authentication One of Hitachi ID Password Manager’s main objectives is to enhance the security posture of organizations, by improving the security of user authentication processes. 5.1 Password Problem Help Desk Calls Users who forget a password or trigger an intruder lockout before Hitachi ID Password Manager rely on support processes, such as calling the help desk, to get a password reset and thereby resolve their problem. It follows that the security of passwords is only as good as the security of the process used to authenticate help desk callers. For instance, in a company where users must enter complex passwords and must change them every day, but where users who forget their password can authenticate to the help desk using the last 4 digits of their social security number, passwords are only as secure as the last 4 digits of a user’s SSN. Password Manager improves user authentication prior to password resets, both self-service and assisted. Users may be required to authenticate with: • A two-factor hardware token. • A biometric voice-print match. • By filling in answers on successive screens to multiple, randomly selected personal questions, some of which are standard (apply to all users), and some of which are personalized (different users have different questions). Using Password Manager, it is possible to make non-password authentication as strong as or stronger than password authentication. 5.2 Password Policy Enforcement Passwords are only a reliable authenticator if they are impractical to guess and are not written down or shared. Password policy rules are used by systems to make sure that users select passwords that are difficult to guess. Hitachi ID Password Manager makes it possible to enforce a single, consistent and strong set of password rules across multiple systems – including on systems that do not natively have a good password policy engine. Password aging is used to force users to change passwords periodically, to limit the window of time available to an intruder who may be in a position to attempt a brute-force password guessing attack. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
    • Password Manager Security Analysis Password Manager can enforce password aging globally, including on systems that do not natively enforce it. 5.3 Password Synchronization Users in a typical mid- to large-sized organization have from 5 to 8 different passwords. These passwords expire on different schedules, and are subject to different password policy rules. As a result, over time, users tend to acquire a collection of different passwords – one per system. Since multiple passwords are difficult to remember, users usually write down their passwords, try to pick easy-to-remember (and so easy-to-guess) password values, and try to avoid password changes. Password synchronization, a core Hitachi ID Password Manager feature, makes it easy for users to manage a single, complex, frequently-changing password value on multiple systems. Managing a single password is much easier than managing 5–8 different passwords, and as a result users tend not to write down their passwords. Password synchronization is an effective antidote for sticky notes with password lists. 5.4 Profile Enrollment Impacts Security In most self-service password reset deployments, users are asked to register personal authentication data (questions and answer pairs), that can subsequently be used to authenticate them. The security of this registration process is just as important as the quality of the authentication profile and user passwords. This is because compromise of the enrollment process would allow an attacker to fill out a user’s profile, and use it to reset that user’s password. For instance, if users register a Q&A profile using a short PIN, then an intruder who can guess or acquire a PIN will be able to register as the user, setup the user’s Q&A profile with information that the intruder can answer, and then use the self-service process to reset the user’s passwords to a value that the intruder knows. The bottom line is that the authentication method used to register data that will be used for self-service password reset must be at least as secure as network passwords. In Hitachi ID Password Manager, users type their current network passwords to authenticate to the regis- tration process, and so the above requirement is met. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
    • Password Manager Security Analysis 6 Server Defenses The Hitachi ID Password Manager server houses some sensitive data, including target credentials and possibly private user profile information, as described in Section 3 on Page 3. To protect this data, the Password Manager includes several layers of defense: 6.1 Operating System Hitachi ID Password Manager is installed on a locked-down, fully patched Windows 2003 server. An important way to secure a server on any platform is to reduce the amount of software that it runs. This eliminates potential sources of software bugs that could be exploited to violate the server’s security. The following services, at most, are needed on the Password Manager server: • DNS Client - Required to resolve host names • Event Log - Core O.S. component • IIS Admin Service - Only required if IIS is used • IPSEC Policy Agent - Core O.S. component • Logical DiskManager - Core O.S. component • Network Connections - Required to manage network interfaces • Plug and Play - Hardware support • Protected Storage - Core O.S. component • Remote Procedure Call (RPC) - Core O.S. component • Removable Storage - Required to open CD-ROM drives • RunAs Service - Core O.S. security component • Security Accounts Manager - Core O.S. security component • TCP/IP NetBIOS Helper Service - Only required if directly managing Windows passwords • Workstation - Only required if directly managing Windows passwords • World Wide Web Publishing Service - Only required if IIS is used If additional services are required during implementation, then Hitachi ID Systems will notify the customer. All other services should be disabled unless there is some specific reason (not related to Password Manager) to enable them. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
    • Password Manager Security Analysis The Password Manager server is not normally a member of a domain. This reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Password Manager server, and from there perhaps compromising other (e.g., non-AD) systems. The Password Manager server can also take advantage of simple packet filtering services in Windows 2003, to block all inbound connections other than those to the web service, as shown in the figure below: A hardened Password Manager server can be port scanned to identify available services. Following is a typical port scan result: delli:/data/idan/vmware/win2ksrv# nmap -sT 192.168.100.8 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.100.8): (The 1551 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 1 second delli:/data/idan/vmware/win2ksrv# nmap -sU 192.168.100.8 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 1459 scanned ports on (192.168.100.8) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 91 seconds © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
    • Password Manager Security Analysis The process table on the same server looks like this: Note: VMWare entries reflect the fact that this sample was taken from a VMWare virtual PC. This server was running with just the mandatory services described earlier. 6.2 Web Server The web server is a required component, as it enables the Hitachi ID Password Manager user interface and SOAP API. It should therefore be carefully protected. Since Password Manager does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content should be removed. If Apache is used, all non-essential modules should be commented out of the configuration rules. If IIS is used, this means removing IISAdmin, Printers, Scripts and similar folders, as shown below: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
    • Password Manager Security Analysis The web server’s scripting, indexing and data access subsystems should likewise be removed: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
    • Password Manager Security Analysis As an extra precaution, remote data services are disabled by removing the following registry keys: • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch RDSServer.DataFactory • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch AdvancedDataFactory • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch BusObj.VbBusObjCls ODBC drivers are also all disabled, both manually (remove data sources) and add this entry to the registry: • HKLM Software Microsoft Jet 4.0 engines SandBoxMode = 3 6.3 Password Manager Application If the operating system and web server are made safe from attack, primarily by running a very minimal subset of available software, intruders will seek to attack the Hitachi ID Password Manager application itself. Network-attached applications are frequently attacked using buffer overflow attacks, and by sending them unexpected inputs. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
    • Password Manager Security Analysis Password Manager’s web interface is implemented as a set of self-contained executable programs, com- piled from C++ source code. These programs do not use ASP, JSP or other scripting engines, so are not vulnerable to potential security bugs in those engines. The Password Manager CGI programs are coded very defensively, and check their inputs for overflows, unexpected characters, unexpected string formatting, etc. The Password Manager CGI programs manage session state very carefully. They do not use cookies. Instead, session state is managed by embedding a hidden session key in every web form. Whenever a user submits a web form, the key changes to a new, cryptographically random value. Only the current session key is valid, which means that users must navigate through the application, and are prevented from using the web browser “Back” button. This makes it possible for users to log off from an active session. It also prevents an intruder from using the browser “Back” button to take advantage of a still-active but unattended login session. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
    • Password Manager Security Analysis 7 Communication Defenses Hitachi ID Password Manager sends and receives sensitive data over the network. Its communications include user passwords, target credentials and personal user information. These are all valuable assets that must be defended. Network attacks typically fall into two classes: • Passive attacks, where an intruder listens to a communication stream and extracts useful data from it. • Active attacks, where an intruder abuses either an available network service, or an open communi- cation session. Password Manager’s network services and communication protocols are designed to defend against both types of attacks using cryptography: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
    • Password Manager Security Analysis Communication protocol defenses From To Protocol, encryption algorithm User workstation Password Manager web application HTTPS Windows NT/2000/2003 password filter DLL Password Manager server MTE Unix passwd replace- ment binary Password Manager server MTE zOS/OS390 security exit Password Manager server MTE Sun ONE Directory password filter Password Manager server MTE IBM Directory password filter Password Manager server MTE IVR server (any) Password Manager server MTE Password Manager server Agent on Unix server MTE Password Manager server OS390 native agent MTE Password Manager server RSA ACE native agent MTE Password Manager server RSA Keon native agent MTE Password Manager server Password Manager proxy server MTE Password Manager server Another Password Manager server (for data replication) MTE Password Manager server Other managed system Native protocol. If the target system’s native protocol is insecure, then a proxy server is co-located with the managed system, and communication is carried out via a Password Manager proxy server. In the above table, MTE means “M-Tech Encryption Protocol.” This protocol works as follows: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
    • Password Manager Security Analysis Step Caller Server 1. Open TCP socket 2. Generate and display long random number 3. Encrypt random number using a shared secret key Encrypt random number using a shared secret key 4. Send first half of encrypted result 5. Compare received crypto text to internal calculation 6. If no match: alarm and hang-up. 7. Use second half of encrypted result as initial session key Use second half of encrypted result as initial session key 8. Print greeting string. 9. Send encrypted command string 10. Execute command 11. Print encrypted result string 12. Hang up. Hang up. All encryption is carried out using 128-bit AES, which is an ISO encryption algorithm. 128-bit AES is a military-grade encryption algorithm with no known vulnerabilities. The above analysis shows that – so long as the Password Manager server is configured with an SSL certificate, and setup to require HTTPS client communication; and so long as communication with target systems whose native protocols are weak is protected using judicious use of the Password Manager proxy server – no sensitive data is ever transmitted in plaintext. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
    • Password Manager Security Analysis 8 Data protection The Hitachi ID Password Manager server houses some sensitive data, and this data must be protected against anyone who has physical access to the server, or has a legitimate right to log into it. All sensitive data on the Password Manager server is encrypted, as follows: Data Encryption algorithm Key length Salt? User profiles: answers to personal questions 128-bit AES 128 bits n/a User profiles: password history SHA-1 n/a 64 bits target credentials 128-bit AES 128 bits n/a Help desk user passwords 128-bit AES 128 bits n/a Of the above, the only mandatory data is target credentials for target systems. Everything else may be accessed on other systems, on demand. As a result of this encryption, someone with access to the filesystem of the Password Manager server would not be able to readily decipher sensitive data on that server. They would first have to figure out where the data is stored, then how it is encoded, then how it is encrypted, and then they would have to find a suitable key (itself encrypted, in the Password Manager server’s registry). This provides as much protection as possible to sensitive data on the server, without compromising its functionality. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 17
    • Password Manager Security Analysis 9 The Secure Kiosk Account A Secure Kiosk Account (SKA) enables users to access a self-service password reset application from a workstation login screen without deploying desktop software. The SKA merits its own analysis because it is a password-less guest account on the network operating system (NOS). This analysis illustrates what vulnerabilities the SKA account does, and does not, introduce to overall network security. The SKA is the most deployable and secure technology available to address the problem of providing self- service password reset to users who forget their initial workstation / network login password. Other options are: • Do nothing User continues to call the help desk, authenticates on the telephone, and receives a new password on the telephone. • IVR self-service Similar to doing nothing, but the help desk analyst is replaced by a machine. This option may suffer from poor adoption rates. • Visit a neighbor A web browser is available at another workstation, and the user may be visually authenticated. Only works for crowded work environments, however. • Install desktop software Client software on every desktop. Extremely risky, since a faulty client can expose vulnerabilities on many workstations, or even render them inoperable. • Secure Kiosk Account The solution described here, and the one most often used in Hitachi ID Password Manager deploy- ments: A domain / NOS login account called “help,” with no password is created. A security policy is applied to this account which locks it down, and replaces the default Windows shell with a special network- launched executable that opens the workstation’s default web browser, in kiosk mode, to the self- service password reset web application. The net effect is that users who forget their initial passwords can type “help” to get automated service. There is a unique process for implementing the SKA security policy on each NOS. The various policies implement the same rules, however: 1. Lock the help user out of all local workstation privileges, by disabling every possible aspect of the desktop, including preventing the user from starting command prompt windows, etc. 2. Prevent the help user from accessing any network resources. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 18
    • Hitachi ID Password Manager Security Analysis 3. For Windows 9x workstations, launch a kiosk-mode web browser immediately after starting the Win- dows shell. 4. For Windows NT/2000/XP workstations, launch a kiosk-mode web browser as a replacement shell (instead of the executable that displays the Windows desktop and start menu). In all cases, the kiosk-mode web browser is launched by a program called runurl.exe. This program is loaded from a public network share (typically on the Password Manager server or copied to each DC’s NETLOGON share.) The program locks down the workstation by intercepting certain input event types (key- board, mouse, etc.), finds the default web browser for the workstation in question, and starts it in kiosk mode to the appropriate URL. 9.1 Protected Assets The SKA is a network login ID intended to give users unauthenticated access to a limited set of functionality on their own workstations. Accordingly, the two IT assets that are impacted by the SKA are: 1. User workstations where the SKA is available. 2. Network servers that honor the SKA user’s “authentication.” 9.2 Existing Risks The following risks pre-exist the SKA account, are not repaired by the SKA account, but are worth pointing out for clarity. 9.2.1 Workstation Security Windows workstations are not secure. Windows NT, 2000 and XP workstations do have a security in- frastructure, including password authentication and a filesystem with permissions (NTFS). However, any intruder can restart the workstation with a DOS boot disk, run NTFSDOS, and gain unlimited access to the the filesystem, bypassing authentication and access controls. The above points are intended to highlight the fact that workstations running any version of Windows, without significant enhancements (primarily a cryptographic filesystem unlocked by the login password) are not secure. It follows that the SKA cannot reduce workstation security (from zero). The SKA does implement extensive workstation security features, to prevent a user from abusing the help login to run programs on the workstation, alter its configuration, and so on. These security measures are primarily intended to give the impression f security, since the workstation was insecure before deploying the SKA, and continues to be insecure after SKA was deployed. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 19
    • Hitachi ID Password Manager Security Analysis 9.2.2 Network Infrastructure The SKA account is only accessible to users who already have a working network connection. Without that, they could not login to the domain as any user, even help. Accordingly, a potential intruder who might try to abuse the help account is by definition already in a physical location where he has a working network connection. That means that this intruder can already run packet sniffers, port scanners, and so on. Clearly, the SKA can not and does not prevent these kinds of attacks. 9.2.3 Network Servers The SKA implements a password-less authentication to a Windows NT domain, a Windows 2000/2003 AD domain or an NDS tree. Any system that does not use the authentication infrastructure of the domain where the help account is defined cannot be affected by the SKA. That means that Unix servers, ERP applications, mainframes, minicomputers, and others are not impacted by SKA at all. Firewalls, corporate directories, web servers, network shares and applications may be impacted if (and only if): 1. They do require user authentication. If they do not authenticate users at all, then the help account is not needed to access them. 2. They authenticate users against the NOS directory where SKA was defined. If they authenticate users on a different directory or user database, then help will not have a valid login. 3. They allow sign-on by users with no particular privileges or group membership. Every user defined in the NOS directory where help was defined has access to the application or service in question. If the NOS is Windows 2000/2003, then the help security policy can be configured to prevent even this attack (in particular, help cannot mount Windows 2000/2003 server shares). 9.3 Net New Vulnerability The net result of the above is that the help account opens a new, anonymous access point to public network resources (which were already open to everyone, but without anonymity). Users who used to access public resources with their own IDs will now be able to access those same public systems as “help.” © 2014 Hitachi ID Systems, Inc.. All rights reserved. 20
    • Hitachi ID Password Manager Security Analysis 10 Conclusions This document illustrates that best-practice measures are implemented in the Hitachi ID Password Manager software, to protect it against direct attack, to protect its communications, and to protect its data. This document also highlights the fact that Password Manager is a sensitive server, and should be managed carefully. In particular, it should be installed on a locked-down server, and managed with close attention to security. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/psynch/documents/security_analysis/psynch_security_analysis_5.tex Date: November 20, 2006