Securing Shared Workstations with Novell SecureLogin
Upcoming SlideShare
Loading in...5
×
 

Securing Shared Workstations with Novell SecureLogin

on

  • 2,283 views

Kiosks are deployed in many industries, such as health care and manufacturing, to provide users with quick access to applications. But challenges often arise in these deployments when users don’t ...

Kiosks are deployed in many industries, such as health care and manufacturing, to provide users with quick access to applications. But challenges often arise in these deployments when users don’t close applications or simply leave the kiosk without logging off, exposing sensitive data to unauthorized users.
This session will demonstrate the use of the Desktop Automation Services. We will show you how to build policy-based shared workstation protection at the workstation level, at the network level (using Novell Modular Authentication Service and eDirectory) and across Citrix sessions. We will also show you how to configure the policies to lock workstations when an authentication device is removed or when the user’s session has timed out.
Finally, you will see a real-world example of Desktop Automation Services working at Maine Medical Center.

This session will demonstrate how to secure these shared workstations using the the Desktop Automation Services (DAS) in Novell SecureLogin. Presenters will show how to build policy-based shared workstation protection at the workstation level, at the network level (using NMAS and requires eDirectory™) and across Citrix sessions. They’ll also show how to configure the policies to lock workstations when an authentication device is removed or when the user’s session has timed out.

Statistics

Views

Total Views
2,283
Views on SlideShare
2,265
Embed Views
18

Actions

Likes
0
Downloads
101
Comments
0

1 Embed 18

http://www.slideshare.net 18

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing Shared Workstations with Novell SecureLogin Securing Shared Workstations with Novell SecureLogin Presentation Transcript

  • Securing Shared Workstations with Novell SecureLogin ® Kevin Prior Rajasekar Pandiyan Technology Specialist Software Consultant kprior@novell.com prajasekar@novell.com
  • Session Content This session will explain and demonstrate: • About shared workstations and kiosks • What is Desktop Automation Services (DAS) in the context of kiosks • Usage of Desktop Automation Services (DAS) • How to build policy-based shared workstation protection at the workstation and network levels • How to configure policies to lock workstations when an authentication device is removed or when a user's session is timed out. • Finally, a real world example of DAS from EOS Systems, who has worked with customer implementations 2 © Novell, Inc. All rights reserved.
  • Kiosks or Shared Workstations Description • Workstation shared by several people throughout the day to provide quick access to applications. Often several users in an hour. – Examples: health care, education, manufacturing, financial institutions, government environments Challenges • When users don't close the application or simply leave the workstation without logging off, they expose sensitive data to unauthorized users. 3 © Novell, Inc. All rights reserved.
  • What Is The Novell Single Sign-on ® Solution for Shared Workstations? • Novell has combined the value of Novell SecureLogin with the value of DAS (Desktop Automation Services) provides: – Fast login – Fast user switching – Single sign-on • Simplified core components to support different workstation form factors • A solution that solves some of the key foundational pain currently in health care, retail and manufacturing • Simple message: – One Id. One Password – One Login – Fast 4 © Novell, Inc. All rights reserved.
  • DAS (Desktop Automation Services) What is Novell Desktop Automation Services? ® • An add-on to Novell SecureLogin • Handles unique use cases associated with shared workstations or kiosks. • Executes selective and configurable lists of user operations from virtually any scripting or programming medium on the Windows operating system. • Most common deployment to provide fast user switching in Clinical Workstation. • Runs locally on the workstation to handle these unique use cases. • Identity-based services can be related to the workstation, user (attributes), or location (via IP subnet) 5 © Novell, Inc. All rights reserved.
  • DAS Overview Different versions and support details • Formerly known as the Application Runner Shell or system (ARS). • Originally written by Novell Consulting / Custom Development ® • Customers currently running the older version of ARS (DAS)version 1.0.4.13 or earlier will still be supported by NCCD but are entitled to the upgrade to DAS 2.0. • DAS is available for no cost to all currently licensed customers of Novell SecureLogin (NSL) version 6.0 or higher. • NSL version 3.51 or lower is not supported and customers must upgrade to NSL 6.0 or higher in order for DAS 2.0 to be installed. • NSL 7.0 bundles the latest version (DAS 2.1) • NSL 7.0 SP1 Supports DAS in Windows 7 6 © Novell, Inc. All rights reserved.
  • DAS Overview What DAS does? • DAS process that runs on the workstation monitors for different triggers in the workstation • DAS executes the actions configured for a trigger scripted in an XML file • Actions and triggers are controlled by Actions.xml file – Configure on the workstation or in the directory – Specified in eDirectory on container or user ™ 7 © Novell, Inc. All rights reserved.
  • DAS Functionality Login / Logout Smart Card NSL Novell Client Configuration File Network (actions.xml) Monitor Card Monitor DAS ► Windows Events Executes Actions Proximity Card Kill-app, map-drive nds-logout, ldap-logout, ... Hot Key Inactivity Timer Screen Saver 8 © Novell, Inc. All rights reserved.
  • DAS Configuration stored in Directory Novell Environment ® Microsoft Environment SecureLogin NWClient32.exe slproto.exe LDAP GINA actions.xml NLDAPlgn.exe (Local File) OPTIONAL actions.xml (Local File) Registry DAS Registry actions.xml actions.xml (ARSConfig object) (ARSConfig object) eDirectory eDirectory LDAP ARSControl ARSControl IDM Driver User User ARSUser ARSUser Active Directory 9 © Novell, Inc. All rights reserved.
  • DAS Actions and Triggers DAS Triggers DAS Actions (continued) • on-nds-login • test-app-running • on-ldap-login • kill-app • on-hot-key • kill-all-apps • on-screen-saver • map-drive • On-cardmon • map-home-drive • test-logged-in • test-ldap-logged-in DAS Actions • test-nds-attr-valtest-ip-subnet • execute-user-action • test-env-variable • if-true • message-box • if-false • nds-logout • run-application • ldap-logout 10 © Novell, Inc. All rights reserved.
  • Sample actions.xml <?xml version="1.0"?> <application-runner-script> <action name="hidedesk"> <nds-logout /> <hide-desktop /> </action> <action name="showdesk"> <unhide-desktop /> </action> <action-triggers> <on-hot-key virtual-key="s" modifiers="ctrl" action-name="showdesk"/> <on-hot-key virtual-key="h" modifiers="ctrl" action-name="hidedesk"/> </action-triggers> </application-runner-script> 11 © Novell, Inc. All rights reserved.
  • DAS 2.0 Key Features • Ability to quickly login and logout users (fast user switching) using either the Novell Client or the LDAP client in NSL. ™ • Novell Client is no longer necessary with DAS 2.0 as it was with previous versions. • Provides convenience tools for the user such as: – hot-keys, drive mappings and auto launching of applications or shutting down applications • Support for Windows 2000 Pro, XP, and Vista • DAS can be used as a substitute for login scripts for multi- user workstations • Card monitoring service to detect smartcard pulls and run a series of user defined logout actions Installation by Microsoft Installer (MSI) 12 © Novell, Inc. All rights reserved.
  • New in DAS 2.1 • Actions: – hide-desktop – unhide-desktop – Screen-Saver-On (invokes when Screen Saver is activated) • Action Triggers: – on-inactivity-timer – on-screen-saver – on-pcprox-removal (Is this required) • Command Line Switches – ars.exe /refresh (Refresh actions.xml during run time) – ars.exe /shutdown (Terminates DAS) 13 © Novell, Inc. All rights reserved.
  • Fast User Switching In order to provide fast user switching, one needs: • Ability to quickly log off previous user – Screensavers – Logout button – Session time outs – Proximity and Smart Card pull – Proximity sonar devices • Quickly shut down applications that were open and reset workstation for next user in seconds • Disconnect shared or home drive mappings • Prompt for next user to authenticate • Lock down workstation in idle state to prevent unauthorized use • Best utilized with shared or kiosk workstations 14 © Novell, Inc. All rights reserved.
  • Sample Use Cases In Different Industries • Healthcare – Shared workstations/kiosks at nurse stations, exam rooms, patient kiosks, mobile health care worker, remote clinics, physician offices • Manufacturing – Factory floor shared workstation, shop floor control, stockrooms, information kiosks, remote/mobile workers, call centers • Retail – Point-of-Sale, stockrooms, kiosks • High Tech – Offshore development, call centers • Financial Service – Customer service, call centers, information kiosks, remote and offshore resources • Education – Student labs, remote learning centers 15 © Novell, Inc. All rights reserved.
  • DAS Use Case Example #1 • Workstation is configured to boot-up and auto-login to Windows Desktop and AD Domain automatically • Novell Client is presented for users to authenticate ® to eDirectory and get their Netware drive mappings ™ ® • 3-5 users may use the workstation in a single hour (multiple Windows profiles to manage) • Common in education, financial services, government Issue: How do you ensure the previous user is logged out or all active applications and the workstation is ready for the next user without having to completely restart the Windows o/s? Need fast user switching. 16 © Novell, Inc. All rights reserved.
  • DAS Use Case Example #2 • Workstation is configured to boot-up and auto-login to windows desktop, AD Domain and NetWare automatically ® (generic ID) • Network drives are mapped at boot-up and remain the same for all users • Users are required to log into each individual application (application level security) • 3-10 users may use the workstation in a single hour • Common in healthcare and manufacturing Issue: How do you ensure each user is required to authenticate once while getting SSO to their applications and can still provide fast login/logout? 17 © Novell, Inc. All rights reserved.
  • HIT Security Questions 19th Annual HIMSS CIO Survey 2008 Which of the following security technologies Which technologies does your facility plan are presently in place at your organization? to use or implement in the next two years? Firewalls 98.00% Single Sign-On 49.20% User Access Controls (based on role/location) 82.70% Biometric Technologies (i.e. retinal scan, fingerprint technology) 42.30% Audit Logs of Each Access to Patient Health Records 80.50% Email Encryption 34.20% Off-site Storage 76.90% Disaster Recovery 30.90% Disaster Recovery 74.60% Data Encryption 27.00% Electronic Signature 73.30% Electronic Signature 25.40% Intrusion Prevention / Detection Service 69.70% Intrusion Prevention / Detection Service 25.10% Multi-Level Passcodes 65.10% Public Key Infrastructure (PKI) 22.50% Data Encryption 62.50% Off-site Storage 20.80% Email Encryption 61.60% Audit Logs of Each Access to Patient Health Records 19.90% Single Sign-On 35.50% User Access Controls (based on role/location) 17.90% Public Key Infrastructure (PKI) 27.40% Biometric Technologies (i.e. retinal scan, fingerprint Multi-Level Passcodes 16.00% technology) 21.80% Firewalls 11.10% None 1.00% None 0.30% Don’t Know 1.00% Don’t Know 1.60% Other (Please specify) 0.00% Other (Please specify) 0.00% 18 © Novell, Inc. All rights reserved.
  • Solution Differentiators • Shared Credentials – Web SSO, enterprise SSO, provisioning • Identity Management Provisioning Integration – Automatic provisioning of SSO credentials • Leverage existing directory infrastructure vs. requiring an additional identity store (no additional hardware) – Minimizes administrative overhead – Simplifies user management – SIGNIFICANTLY improves fault tolerance, high availability, and scalability – Support of open standards (i.e. LDAP, SAML, CCOW) and interoperability across the enterprise 19 © Novell, Inc. All rights reserved.
  • Solution Differentiators • More multi-factor device support than any other vendor • Minimal Workstation Impact – Does not modify the GINA – Small client footprint – Fully compatible with Microsoft and Novell workstation ® environments – Fast login/logout – Flexibility in application launching – Fully integrated with ZENworks for desktop management ® • Centrally managed. No need for dual administration. – New users have instant access to solution capabilities 20 © Novell, Inc. All rights reserved.
  • Thom Kirby EOS Sytems
  • Who We Are • Eos Systems is a comprehensive IT solutions provider with an increasing national presence – We serve clients in 38 states • Eos Systems provides consulting and solutions for clients in information-intensive fields, including:  – Banking – Law – Education – Manufacturing – Healthcare – Government 22 © Novell, Inc. All rights reserved.
  • Who We Are Identity and Security Endpoint - Identity Management - Virtualization - Access Management - Resource Management - Security Management - Green IT - Compliance Management - Disaster Recovery and High Availability Solutions and Technologies Outsourced IT Collaboration - Consulting - E-mail - Support Services - Teaming - Product Procurement - Web - Managed Services - Mobile 23 © Novell, Inc. All rights reserved.
  • Who We Are • Major Vendor certifications include: Microsoft, Citrix, Novell, Sophos, HP, IBM, Dell, Cisco, VMware, Symantec, Gwava, Netvision, MacAfee, Lenovo and 3Com. • Eos Systems was established in 1997 and is headquartered in Boston, Massachusetts. • Office locations: – New York City – Boston – Salt Lake City Aligning Technology with Business Process 24 © Novell, Inc. All rights reserved.
  • Customer Use Case for Health Care • Environment: – Kiosk-type machines stationed in a health care environment – 3-5 different users must be able to quickly login/logout within an hour using a PCProx/Smartcard – User access to applications/data must be controlled/enforced • Issues: – Enforcing/controlling user access to the data is paramount as it can involve protected/confidential customer records – Login/Logout process needs to be under 5-10 seconds, including closing previous user active applications – Unique user authentication to eDirectory and ZENworks ™ ® Configuration Management for the user to deliver drive mappings, applications, and policies 25 © Novell, Inc. All rights reserved.
  • Customer Use Case for HealthCare Solution: • Desktop Automation Services (DAS) for fast user switching • Workstation is configured to boot-up and AutoAdminLogin to Windows Desktop and AD Domain automatically • DAS integration script will handle Novell® Client and ZCM logout/login to run associated drive mappings, applications, policies, and printers for specific users. • Configurable inactivity timers for automated screen saver lock and user logout from the system to ensure data/application security. • Novell Single Sign-on integration for all user-associated applications. • NMAS integration for PCProx security cards with eDirectory to allow fast secure logins without the need to type usernames and passwords. 26 © Novell, Inc. All rights reserved.
  • Question and Answer
  • For More Information Try SecureLogin for Yourself We'll install SecureLogin on • Visit table A5 in IT Central your machine (for free). • Attend the following complementary sessions: – BOF106: SecureLogin in the Real World Panel Discussion – IAM205: Novell SecureLogin Installation, Deployment and Lifecycle Management – IAM207: SecureLogin and Your Active Directory Setup – IAM302: Using Hard Disk Encryption and SecureLogin – IAM303: Enhancing SecureLogin with Multi-factor Authentication – IAM304: Securing Shared Workstation with SecureLogin • Walk through the SecureLogin demo in the Installation and Migration Depot • Visit www.novell.com/securelogin 28 © Novell, Inc. All rights reserved.
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.