SlideShare a Scribd company logo
1 of 24
Download to read offline
Hitachi ID Password Manager Security Analysis
© 2014 Hitachi ID Systems, Inc. All rights reserved.
Organizations that either are considering deployment of Password Manager or have already deployed it
need to understand its security implications.
Password Manager impacts authentication processes and standards. This document describes this impact,
and how to ensure that it is a positive change.
Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must
be defended by strong security measures. The technology used by Password Manager to protect against
intrusions, as well as best practices to deploy that technology, are described here.
Contents
1 Introduction 1
2 What is Hitachi ID Password Manager? 2
3 Protected Assets 3
4 Defining security violations 4
5 Impact on User Authentication 6
5.1 Password Problem Help Desk Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.3 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.4 Profile Enrollment Impacts Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6 Server Defenses 8
6.1 Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.2 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3 Hitachi ID Password Manager Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7 Communication Defenses 14
8 Data protection 17
9 The Secure Kiosk Account 18
9.1 Protected Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.2 Existing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.2.1 Workstation Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.2.2 Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
i
Password Manager Security Analysis
9.2.3 Network Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
9.3 Net New Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
10 Conclusions 21
© 2014 Hitachi ID Systems, Inc. All rights reserved.
Password Manager Security Analysis
1 Introduction
Organizations that either are considering deployment of Hitachi ID Password Manager or have already
deployed it need to understand its security implications.
Password Manager impacts authentication processes and standards. This document describes this impact,
and how to ensure that it is a positive change.
Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must
be defended by strong security measures. The technology used by Password Manager to protect against
intrusions, as well as best practices to deploy that technology, are described here.
The remainder of this paper is organized into sections that describe challenges specific to managing pass-
words for mobile users, and how Password Manager addresses each problem.
• What is Password Manager?
A brief description of Password Manager, to give context to the subsequent sections.
• Protected assets
A list of what information security, as implemented in Password Manager, should protect.
• Defining security violations
Some specific security attacks that Password Manager defenses must repel.
• Impact on authentication processes
How the features and processes created by Password Manager affect authentication to IT infrastruc-
ture generally in an organization.
• Server defenses
How the Password Manager server can and should be protected.
• Communication defenses
How data transmitted to and from each Password Manager server is protected.
• Data protection
How data stored on each Password Manager server is protected.
• The secure kiosk account
How the optional secure kiosk account impacts the security of the network operating system where it
is installed.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Password Manager Security Analysis
2 What is Password Manager?
Hitachi ID Password Manager is an integrated solution for managing user credentials, across multiple sys-
tems and applications. Organizations depend on Password Manager to simplify the management of those
credentials for users, to reduce IT support cost and to improve the security of login processes.
Password Manager includes password synchronization, self-service password reset, enterprise single sign-
on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency
recovery of full disk encryption keys.
Password Manager reduces the cost of password management using:
• Password synchronization, which reduces the incidence of password problems for users
• Self-service password reset, which empowers users to resolve their own problems rather than calling
the help desk
• Streamlined help desk password reset, to expedite resolution of password problem calls
Password Manager strengthens security by providing:
• A powerful password policy engine.
• Effective user authentication, especially prior to password resets.
• Password synchronization, to help eliminate written-down passwords.
• Delegated password reset privileges for help desk staff.
• Accountability for all password changes.
• Encryption of all transmitted passwords.
To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Password Manager Security Analysis
3 Protected Assets
IT security means protecting the availability of systems, the confidentiality of data, and the integrity of both
processes and data.
Hitachi ID Password Manager is designed to improve network security. It includes measures to protect:
• The Password Manager server itself.
• Sensitive data housed on the Password Manager server, including:
– Target credentials to target systems, which the Password Manager server uses to attach to
target systems and reset user passwords.
– Support staff passwords, which may be used by Password Manager to authenticate help desk
analysts.
– Personal user data, which may be managed by Password Manager and used to authenticate
users who access a self-service password reset.
• Data transmitted by users to Password Manager, including answers to personal questions and pass-
words.
• Data transmitted from Password Manager to managed systems, including target credentials and user
passwords.
• Authorized access to managed systems.
The Password Manager software is designed to safeguard all of these assets.
Customers should take care, and follow best practices, to ensure that their deployments of Password
Manager will likewise protect these assets.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Password Manager Security Analysis
4 Defining security violations
As mentioned in the previous section, Hitachi ID Password Manager is designed to protect a range of
security assets.
Password Manager is also designed to defeat specific attacks, targeted against:
• User accounts / profiles:
Access to Password Manager functions is protected using strong user authentication, intruder lockouts
and security violation alarms.
• The Password Manager web application:
The Password Manager web user portal is implemented using the standard common gateway inter-
face (CGI) mechanism, available on all web servers. CGI programs are exclusively responsible for
accepting user input and displaying web pages. As such, the CGI programs may be attacked so need
to incorporate strong protections.
All Password Manager CGI programs use a standard string library to validate all inputs and protect
against buffer overflow, SQL injection, cross site scripting and similar attacks. This is done by checking
maximum input lengths, filtering out special characters and HTML codes, checking for valid formatting
and value ranges, etc.
• The Password Manager web server:
Password Manager is compatible with a wide variety of web servers (Apache, SunONE, IIS). It uses
only the RFC-compliant CGI mechanism in its host web server, and consequently does not require
scripting engines, index services, dynamic HTML preprocessing or other web server modules which
may contain known or latent security vulnerabilities.
• The Password Manager host operating system:
Password Manager relies on a very minimal set of operating system features, and administrators
are encouraged to lock down the Password Manager server’s host operating system by removing all
non-essential services and components.
• Sensitive data managed by Password Manager:
All sensitive data managed by Password Manager is encrypted.
• Communication between users and Password Manager:
All communication with users is encrypted, using HTTPS and a trusted third-party (Verisign, Thawte,
etc.) SSL certificate.
• Communication between Password Manager components on the network:
All communication between Password Manager components, whether within the context of a single
server or across the network, is encrypted using 128-bit AES, a shared key, mutual authentication,
random session keys and block feedback.
• Communication between Password Manager and target systems:
Password Manager communicates with managed systems either using one of three methods:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Password Manager Security Analysis
1. Using the target’s natively encrypted user administration protocol.
2. By installing a Password Manager agent on the target system, and encrypting communication
between Password Manager components using a shared key.
3. By deploying a Password Manager proxy server adjacent to the target system, in a physically-
secure co-location, and encrypting communication between the main Password Manager server
and the proxy server using a shared key.
In all three cases, communication is protected as it traverses vulnerable network media.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Password Manager Security Analysis
5 Impact on User Authentication
One of Hitachi ID Password Manager’s main objectives is to enhance the security posture of organizations,
by improving the security of user authentication processes.
5.1 Password Problem Help Desk Calls
Users who forget a password or trigger an intruder lockout before Hitachi ID Password Manager rely on
support processes, such as calling the help desk, to get a password reset and thereby resolve their problem.
It follows that the security of passwords is only as good as the security of the process used to authenticate
help desk callers.
For instance, in a company where users must enter complex passwords and must change them every day,
but where users who forget their password can authenticate to the help desk using the last 4 digits of their
social security number, passwords are only as secure as the last 4 digits of a user’s SSN.
Password Manager improves user authentication prior to password resets, both self-service and assisted.
Users may be required to authenticate with:
• A two-factor hardware token.
• A biometric voice-print match.
• By filling in answers on successive screens to multiple, randomly selected personal questions, some
of which are standard (apply to all users), and some of which are personalized (different users have
different questions).
Using Password Manager, it is possible to make non-password authentication as strong as or stronger than
password authentication.
5.2 Password Policy Enforcement
Passwords are only a reliable authenticator if they are impractical to guess and are not written down or
shared.
Password policy rules are used by systems to make sure that users select passwords that are difficult to
guess.
Hitachi ID Password Manager makes it possible to enforce a single, consistent and strong set of password
rules across multiple systems – including on systems that do not natively have a good password policy
engine.
Password aging is used to force users to change passwords periodically, to limit the window of time available
to an intruder who may be in a position to attempt a brute-force password guessing attack.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Password Manager Security Analysis
Password Manager can enforce password aging globally, including on systems that do not natively enforce
it.
5.3 Password Synchronization
Users in a typical mid- to large-sized organization have from 5 to 8 different passwords. These passwords
expire on different schedules, and are subject to different password policy rules. As a result, over time,
users tend to acquire a collection of different passwords – one per system.
Since multiple passwords are difficult to remember, users usually write down their passwords, try to pick
easy-to-remember (and so easy-to-guess) password values, and try to avoid password changes.
Password synchronization, a core Hitachi ID Password Manager feature, makes it easy for users to manage
a single, complex, frequently-changing password value on multiple systems. Managing a single password
is much easier than managing 5–8 different passwords, and as a result users tend not to write down their
passwords.
Password synchronization is an effective antidote for sticky notes with password lists.
5.4 Profile Enrollment Impacts Security
In most self-service password reset deployments, users are asked to register personal authentication data
(questions and answer pairs), that can subsequently be used to authenticate them.
The security of this registration process is just as important as the quality of the authentication profile and
user passwords. This is because compromise of the enrollment process would allow an attacker to fill out a
user’s profile, and use it to reset that user’s password.
For instance, if users register a Q&A profile using a short PIN, then an intruder who can guess or acquire a
PIN will be able to register as the user, setup the user’s Q&A profile with information that the intruder can
answer, and then use the self-service process to reset the user’s passwords to a value that the intruder
knows.
The bottom line is that the authentication method used to register data that will be used for self-service
password reset must be at least as secure as network passwords.
In Hitachi ID Password Manager, users type their current network passwords to authenticate to the regis-
tration process, and so the above requirement is met.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Password Manager Security Analysis
6 Server Defenses
The Hitachi ID Password Manager server houses some sensitive data, including target credentials and
possibly private user profile information, as described in Section 3 on Page 3.
To protect this data, the Password Manager includes several layers of defense:
6.1 Operating System
Hitachi ID Password Manager is installed on a locked-down, fully patched Windows 2003 server.
An important way to secure a server on any platform is to reduce the amount of software that it runs. This
eliminates potential sources of software bugs that could be exploited to violate the server’s security.
The following services, at most, are needed on the Password Manager server:
• DNS Client - Required to resolve host names
• Event Log - Core O.S. component
• IIS Admin Service - Only required if IIS is used
• IPSEC Policy Agent - Core O.S. component
• Logical DiskManager - Core O.S. component
• Network Connections - Required to manage network interfaces
• Plug and Play - Hardware support
• Protected Storage - Core O.S. component
• Remote Procedure Call (RPC) - Core O.S. component
• Removable Storage - Required to open CD-ROM drives
• RunAs Service - Core O.S. security component
• Security Accounts Manager - Core O.S. security component
• TCP/IP NetBIOS Helper Service - Only required if directly managing Windows passwords
• Workstation - Only required if directly managing Windows passwords
• World Wide Web Publishing Service - Only required if IIS is used
If additional services are required during implementation, then Hitachi ID Systems will notify the customer.
All other services should be disabled unless there is some specific reason (not related to Password Manager)
to enable them.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Password Manager Security Analysis
The Password Manager server is not normally a member of a domain. This reduces the risk of a security
intrusion in the domain being leveraged to gain unauthorized access to the Password Manager server, and
from there perhaps compromising other (e.g., non-AD) systems.
The Password Manager server can also take advantage of simple packet filtering services in Windows 2003,
to block all inbound connections other than those to the web service, as shown in the figure below:
A hardened Password Manager server can be port scanned to identify available services. Following is a
typical port scan result:
delli:/data/idan/vmware/win2ksrv# nmap -sT 192.168.100.8
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.100.8):
(The 1551 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
443/tcp open https
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
delli:/data/idan/vmware/win2ksrv# nmap -sU 192.168.100.8
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
All 1459 scanned ports on (192.168.100.8) are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 91 seconds
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Password Manager Security Analysis
The process table on the same server looks like this:
Note: VMWare entries reflect the fact that this sample was taken from a VMWare virtual PC.
This server was running with just the mandatory services described earlier.
6.2 Web Server
The web server is a required component, as it enables the Hitachi ID Password Manager user interface and
SOAP API. It should therefore be carefully protected.
Since Password Manager does not require any web server functionality beyond the ability to serve static
documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web
server content should be removed.
If Apache is used, all non-essential modules should be commented out of the configuration rules.
If IIS is used, this means removing IISAdmin, Printers, Scripts and similar folders, as shown below:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Password Manager Security Analysis
The web server’s scripting, indexing and data access subsystems should likewise be removed:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Password Manager Security Analysis
As an extra precaution, remote data services are disabled by removing the following registry keys:
• HKLM
System
CurrentControlSet
Services
W3SVC
Parameters
ADCLaunch
RDSServer.DataFactory
• HKLM
System
CurrentControlSet
Services
W3SVC
Parameters
ADCLaunch
AdvancedDataFactory
• HKLM
System
CurrentControlSet
Services
W3SVC
Parameters
ADCLaunch
BusObj.VbBusObjCls
ODBC drivers are also all disabled, both manually (remove data sources) and add this entry to the registry:
• HKLM
Software
Microsoft
Jet
4.0
engines
SandBoxMode = 3
6.3 Password Manager Application
If the operating system and web server are made safe from attack, primarily by running a very minimal
subset of available software, intruders will seek to attack the Hitachi ID Password Manager application
itself.
Network-attached applications are frequently attacked using buffer overflow attacks, and by sending them
unexpected inputs.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Password Manager Security Analysis
Password Manager’s web interface is implemented as a set of self-contained executable programs, com-
piled from C++ source code. These programs do not use ASP, JSP or other scripting engines, so are not
vulnerable to potential security bugs in those engines.
The Password Manager CGI programs are coded very defensively, and check their inputs for overflows,
unexpected characters, unexpected string formatting, etc.
The Password Manager CGI programs manage session state very carefully. They do not use cookies.
Instead, session state is managed by embedding a hidden session key in every web form. Whenever a
user submits a web form, the key changes to a new, cryptographically random value. Only the current
session key is valid, which means that users must navigate through the application, and are prevented from
using the web browser “Back” button. This makes it possible for users to log off from an active session.
It also prevents an intruder from using the browser “Back” button to take advantage of a still-active but
unattended login session.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
Password Manager Security Analysis
7 Communication Defenses
Hitachi ID Password Manager sends and receives sensitive data over the network. Its communications
include user passwords, target credentials and personal user information. These are all valuable assets
that must be defended.
Network attacks typically fall into two classes:
• Passive attacks, where an intruder listens to a communication stream and extracts useful data from
it.
• Active attacks, where an intruder abuses either an available network service, or an open communi-
cation session.
Password Manager’s network services and communication protocols are designed to defend against both
types of attacks using cryptography:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
Password Manager Security Analysis
Communication protocol defenses
From To Protocol, encryption algorithm
User workstation Password Manager web
application
HTTPS
Windows NT/2000/2003
password filter DLL
Password Manager
server
MTE
Unix passwd replace-
ment binary
Password Manager
server
MTE
zOS/OS390 security exit Password Manager
server
MTE
Sun ONE Directory
password filter
Password Manager
server
MTE
IBM Directory password
filter
Password Manager
server
MTE
IVR server (any) Password Manager
server
MTE
Password Manager
server
Agent on Unix server MTE
Password Manager
server
OS390 native agent MTE
Password Manager
server
RSA ACE native agent MTE
Password Manager
server
RSA Keon native agent MTE
Password Manager
server
Password Manager
proxy server
MTE
Password Manager
server
Another Password
Manager server (for
data replication)
MTE
Password Manager
server
Other managed system Native protocol.
If the target system’s native protocol is
insecure, then a proxy server is co-located
with the managed system, and
communication is carried out via a
Password Manager proxy server.
In the above table, MTE means “M-Tech Encryption Protocol.” This protocol works as follows:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
Password Manager Security Analysis
Step Caller Server
1. Open TCP socket
2. Generate and display long random number
3. Encrypt random number using a shared
secret key
Encrypt random number using a shared
secret key
4. Send first half of encrypted result
5. Compare received crypto text to internal
calculation
6. If no match: alarm and hang-up.
7. Use second half of encrypted result as
initial session key
Use second half of encrypted result as
initial session key
8. Print greeting string.
9. Send encrypted command string
10. Execute command
11. Print encrypted result string
12. Hang up. Hang up.
All encryption is carried out using 128-bit AES, which is an ISO encryption algorithm. 128-bit AES is a
military-grade encryption algorithm with no known vulnerabilities.
The above analysis shows that – so long as the Password Manager server is configured with an SSL
certificate, and setup to require HTTPS client communication; and so long as communication with target
systems whose native protocols are weak is protected using judicious use of the Password Manager proxy
server – no sensitive data is ever transmitted in plaintext.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
Password Manager Security Analysis
8 Data protection
The Hitachi ID Password Manager server houses some sensitive data, and this data must be protected
against anyone who has physical access to the server, or has a legitimate right to log into it.
All sensitive data on the Password Manager server is encrypted, as follows:
Data Encryption algorithm Key length Salt?
User profiles: answers to personal questions 128-bit AES 128 bits n/a
User profiles: password history SHA-1 n/a 64 bits
target credentials 128-bit AES 128 bits n/a
Help desk user passwords 128-bit AES 128 bits n/a
Of the above, the only mandatory data is target credentials for target systems. Everything else may be
accessed on other systems, on demand.
As a result of this encryption, someone with access to the filesystem of the Password Manager server would
not be able to readily decipher sensitive data on that server. They would first have to figure out where the
data is stored, then how it is encoded, then how it is encrypted, and then they would have to find a suitable
key (itself encrypted, in the Password Manager server’s registry).
This provides as much protection as possible to sensitive data on the server, without compromising its
functionality.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 17
Password Manager Security Analysis
9 The Secure Kiosk Account
A Secure Kiosk Account (SKA) enables users to access a self-service password reset application from a
workstation login screen without deploying desktop software.
The SKA merits its own analysis because it is a password-less guest account on the network operating
system (NOS). This analysis illustrates what vulnerabilities the SKA account does, and does not, introduce
to overall network security.
The SKA is the most deployable and secure technology available to address the problem of providing self-
service password reset to users who forget their initial workstation / network login password. Other options
are:
• Do nothing
User continues to call the help desk, authenticates on the telephone, and receives a new password
on the telephone.
• IVR self-service
Similar to doing nothing, but the help desk analyst is replaced by a machine. This option may suffer
from poor adoption rates.
• Visit a neighbor
A web browser is available at another workstation, and the user may be visually authenticated. Only
works for crowded work environments, however.
• Install desktop software
Client software on every desktop. Extremely risky, since a faulty client can expose vulnerabilities on
many workstations, or even render them inoperable.
• Secure Kiosk Account
The solution described here, and the one most often used in Hitachi ID Password Manager deploy-
ments:
A domain / NOS login account called “help,” with no password is created. A security policy is applied
to this account which locks it down, and replaces the default Windows shell with a special network-
launched executable that opens the workstation’s default web browser, in kiosk mode, to the self-
service password reset web application.
The net effect is that users who forget their initial passwords can type “help” to get automated service.
There is a unique process for implementing the SKA security policy on each NOS. The various policies
implement the same rules, however:
1. Lock the help user out of all local workstation privileges, by disabling every possible aspect of the
desktop, including preventing the user from starting command prompt windows, etc.
2. Prevent the help user from accessing any network resources.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 18
Hitachi ID Password Manager Security Analysis
3. For Windows 9x workstations, launch a kiosk-mode web browser immediately after starting the Win-
dows shell.
4. For Windows NT/2000/XP workstations, launch a kiosk-mode web browser as a replacement shell
(instead of the executable that displays the Windows desktop and start menu).
In all cases, the kiosk-mode web browser is launched by a program called runurl.exe. This program
is loaded from a public network share (typically on the Password Manager server or copied to each DC’s
NETLOGON share.) The program locks down the workstation by intercepting certain input event types (key-
board, mouse, etc.), finds the default web browser for the workstation in question, and starts it in kiosk
mode to the appropriate URL.
9.1 Protected Assets
The SKA is a network login ID intended to give users unauthenticated access to a limited set of functionality
on their own workstations. Accordingly, the two IT assets that are impacted by the SKA are:
1. User workstations where the SKA is available.
2. Network servers that honor the SKA user’s “authentication.”
9.2 Existing Risks
The following risks pre-exist the SKA account, are not repaired by the SKA account, but are worth pointing
out for clarity.
9.2.1 Workstation Security
Windows workstations are not secure. Windows NT, 2000 and XP workstations do have a security in-
frastructure, including password authentication and a filesystem with permissions (NTFS). However, any
intruder can restart the workstation with a DOS boot disk, run NTFSDOS, and gain unlimited access to the
the filesystem, bypassing authentication and access controls.
The above points are intended to highlight the fact that workstations running any version of Windows,
without significant enhancements (primarily a cryptographic filesystem unlocked by the login password) are
not secure.
It follows that the SKA cannot reduce workstation security (from zero).
The SKA does implement extensive workstation security features, to prevent a user from abusing the help
login to run programs on the workstation, alter its configuration, and so on.
These security measures are primarily intended to give the impression f security, since the workstation was
insecure before deploying the SKA, and continues to be insecure after SKA was deployed.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 19
Hitachi ID Password Manager Security Analysis
9.2.2 Network Infrastructure
The SKA account is only accessible to users who already have a working network connection. Without that,
they could not login to the domain as any user, even help.
Accordingly, a potential intruder who might try to abuse the help account is by definition already in a
physical location where he has a working network connection. That means that this intruder can already
run packet sniffers, port scanners, and so on.
Clearly, the SKA can not and does not prevent these kinds of attacks.
9.2.3 Network Servers
The SKA implements a password-less authentication to a Windows NT domain, a Windows 2000/2003 AD
domain or an NDS tree.
Any system that does not use the authentication infrastructure of the domain where the help account
is defined cannot be affected by the SKA. That means that Unix servers, ERP applications, mainframes,
minicomputers, and others are not impacted by SKA at all.
Firewalls, corporate directories, web servers, network shares and applications may be impacted if (and only
if):
1. They do require user authentication. If they do not authenticate users at all, then the help account is
not needed to access them.
2. They authenticate users against the NOS directory where SKA was defined. If they authenticate users
on a different directory or user database, then help will not have a valid login.
3. They allow sign-on by users with no particular privileges or group membership. Every user defined in
the NOS directory where help was defined has access to the application or service in question.
If the NOS is Windows 2000/2003, then the help security policy can be configured to prevent even this
attack (in particular, help cannot mount Windows 2000/2003 server shares).
9.3 Net New Vulnerability
The net result of the above is that the help account opens a new, anonymous access point to public network
resources (which were already open to everyone, but without anonymity). Users who used to access public
resources with their own IDs will now be able to access those same public systems as “help.”
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 20
Hitachi ID Password Manager Security Analysis
10 Conclusions
This document illustrates that best-practice measures are implemented in the Hitachi ID Password Manager
software, to protect it against direct attack, to protect its communications, and to protect its data.
This document also highlights the fact that Password Manager is a sensitive server, and should be managed
carefully. In particular, it should be installed on a locked-down server, and managed with close attention to
security.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/psynch/documents/security_analysis/psynch_security_analysis_5.tex
Date: November 20, 2006

More Related Content

What's hot

Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM Sverige
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco VenutiCrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco VenutiIBM Sverige
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Migrate from BigFix to Ivanti
Migrate from BigFix to IvantiMigrate from BigFix to Ivanti
Migrate from BigFix to IvantiIvanti
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Remote Working Webinar (Episode 4)
Remote Working Webinar (Episode 4)Remote Working Webinar (Episode 4)
Remote Working Webinar (Episode 4)Ivanti
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Remote Worker Series (Episode 1)
Remote Worker Series (Episode 1) Remote Worker Series (Episode 1)
Remote Worker Series (Episode 1) Ivanti
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case StudyEbizon
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 

What's hot (20)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
 
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco VenutiCrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
 
Migrate from BigFix to Ivanti
Migrate from BigFix to IvantiMigrate from BigFix to Ivanti
Migrate from BigFix to Ivanti
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Remote Working Webinar (Episode 4)
Remote Working Webinar (Episode 4)Remote Working Webinar (Episode 4)
Remote Working Webinar (Episode 4)
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
Remote Worker Series (Episode 1)
Remote Worker Series (Episode 1) Remote Worker Series (Episode 1)
Remote Worker Series (Episode 1)
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case Study
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 

Similar to Hitachi ID Password Manager Security Analysis

Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverHitachi ID Systems, Inc.
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsHitachi ID Systems, Inc.
 
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Hitachi ID Systems, Inc.
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...Symantec
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdfInfosec Train
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfInfosec Train
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfinfosec train
 

Similar to Hitachi ID Password Manager Security Analysis (20)

Locking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite serverLocking down a Hitachi ID Management Suite server
Locking down a Hitachi ID Management Suite server
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management Suite
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged Accounts
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
 
Selecting a Password Management Product
Selecting a Password Management ProductSelecting a Password Management Product
Selecting a Password Management Product
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
 
Cis333 Week 5 Lab 4
Cis333 Week 5 Lab 4Cis333 Week 5 Lab 4
Cis333 Week 5 Lab 4
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Password Management Project Roadmap
Password Management Project RoadmapPassword Management Project Roadmap
Password Management Project Roadmap
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 

More from Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Systems, Inc.
 

More from Hitachi ID Systems, Inc. (20)

Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioning
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
 

Recently uploaded

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Recently uploaded (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Hitachi ID Password Manager Security Analysis

  • 1. Hitachi ID Password Manager Security Analysis © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Organizations that either are considering deployment of Password Manager or have already deployed it need to understand its security implications. Password Manager impacts authentication processes and standards. This document describes this impact, and how to ensure that it is a positive change. Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must be defended by strong security measures. The technology used by Password Manager to protect against intrusions, as well as best practices to deploy that technology, are described here. Contents 1 Introduction 1 2 What is Hitachi ID Password Manager? 2 3 Protected Assets 3 4 Defining security violations 4 5 Impact on User Authentication 6 5.1 Password Problem Help Desk Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.3 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.4 Profile Enrollment Impacts Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6 Server Defenses 8 6.1 Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.3 Hitachi ID Password Manager Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7 Communication Defenses 14 8 Data protection 17 9 The Secure Kiosk Account 18 9.1 Protected Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2 Existing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2.1 Workstation Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9.2.2 Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 i
  • 3. Password Manager Security Analysis 9.2.3 Network Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 9.3 Net New Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 10 Conclusions 21 © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 4. Password Manager Security Analysis 1 Introduction Organizations that either are considering deployment of Hitachi ID Password Manager or have already deployed it need to understand its security implications. Password Manager impacts authentication processes and standards. This document describes this impact, and how to ensure that it is a positive change. Password Manager is also a sensitive part of an organization’s IT infrastructure, and consequently must be defended by strong security measures. The technology used by Password Manager to protect against intrusions, as well as best practices to deploy that technology, are described here. The remainder of this paper is organized into sections that describe challenges specific to managing pass- words for mobile users, and how Password Manager addresses each problem. • What is Password Manager? A brief description of Password Manager, to give context to the subsequent sections. • Protected assets A list of what information security, as implemented in Password Manager, should protect. • Defining security violations Some specific security attacks that Password Manager defenses must repel. • Impact on authentication processes How the features and processes created by Password Manager affect authentication to IT infrastruc- ture generally in an organization. • Server defenses How the Password Manager server can and should be protected. • Communication defenses How data transmitted to and from each Password Manager server is protected. • Data protection How data stored on each Password Manager server is protected. • The secure kiosk account How the optional secure kiosk account impacts the security of the network operating system where it is installed. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 5. Password Manager Security Analysis 2 What is Password Manager? Hitachi ID Password Manager is an integrated solution for managing user credentials, across multiple sys- tems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes. Password Manager includes password synchronization, self-service password reset, enterprise single sign- on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys. Password Manager reduces the cost of password management using: • Password synchronization, which reduces the incidence of password problems for users • Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk • Streamlined help desk password reset, to expedite resolution of password problem calls Password Manager strengthens security by providing: • A powerful password policy engine. • Effective user authentication, especially prior to password resets. • Password synchronization, to help eliminate written-down passwords. • Delegated password reset privileges for help desk staff. • Accountability for all password changes. • Encryption of all transmitted passwords. To find out more about Password Manager, visit http://Hitachi-ID.com/Password-Manager. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 6. Password Manager Security Analysis 3 Protected Assets IT security means protecting the availability of systems, the confidentiality of data, and the integrity of both processes and data. Hitachi ID Password Manager is designed to improve network security. It includes measures to protect: • The Password Manager server itself. • Sensitive data housed on the Password Manager server, including: – Target credentials to target systems, which the Password Manager server uses to attach to target systems and reset user passwords. – Support staff passwords, which may be used by Password Manager to authenticate help desk analysts. – Personal user data, which may be managed by Password Manager and used to authenticate users who access a self-service password reset. • Data transmitted by users to Password Manager, including answers to personal questions and pass- words. • Data transmitted from Password Manager to managed systems, including target credentials and user passwords. • Authorized access to managed systems. The Password Manager software is designed to safeguard all of these assets. Customers should take care, and follow best practices, to ensure that their deployments of Password Manager will likewise protect these assets. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 7. Password Manager Security Analysis 4 Defining security violations As mentioned in the previous section, Hitachi ID Password Manager is designed to protect a range of security assets. Password Manager is also designed to defeat specific attacks, targeted against: • User accounts / profiles: Access to Password Manager functions is protected using strong user authentication, intruder lockouts and security violation alarms. • The Password Manager web application: The Password Manager web user portal is implemented using the standard common gateway inter- face (CGI) mechanism, available on all web servers. CGI programs are exclusively responsible for accepting user input and displaying web pages. As such, the CGI programs may be attacked so need to incorporate strong protections. All Password Manager CGI programs use a standard string library to validate all inputs and protect against buffer overflow, SQL injection, cross site scripting and similar attacks. This is done by checking maximum input lengths, filtering out special characters and HTML codes, checking for valid formatting and value ranges, etc. • The Password Manager web server: Password Manager is compatible with a wide variety of web servers (Apache, SunONE, IIS). It uses only the RFC-compliant CGI mechanism in its host web server, and consequently does not require scripting engines, index services, dynamic HTML preprocessing or other web server modules which may contain known or latent security vulnerabilities. • The Password Manager host operating system: Password Manager relies on a very minimal set of operating system features, and administrators are encouraged to lock down the Password Manager server’s host operating system by removing all non-essential services and components. • Sensitive data managed by Password Manager: All sensitive data managed by Password Manager is encrypted. • Communication between users and Password Manager: All communication with users is encrypted, using HTTPS and a trusted third-party (Verisign, Thawte, etc.) SSL certificate. • Communication between Password Manager components on the network: All communication between Password Manager components, whether within the context of a single server or across the network, is encrypted using 128-bit AES, a shared key, mutual authentication, random session keys and block feedback. • Communication between Password Manager and target systems: Password Manager communicates with managed systems either using one of three methods: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 8. Password Manager Security Analysis 1. Using the target’s natively encrypted user administration protocol. 2. By installing a Password Manager agent on the target system, and encrypting communication between Password Manager components using a shared key. 3. By deploying a Password Manager proxy server adjacent to the target system, in a physically- secure co-location, and encrypting communication between the main Password Manager server and the proxy server using a shared key. In all three cases, communication is protected as it traverses vulnerable network media. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 9. Password Manager Security Analysis 5 Impact on User Authentication One of Hitachi ID Password Manager’s main objectives is to enhance the security posture of organizations, by improving the security of user authentication processes. 5.1 Password Problem Help Desk Calls Users who forget a password or trigger an intruder lockout before Hitachi ID Password Manager rely on support processes, such as calling the help desk, to get a password reset and thereby resolve their problem. It follows that the security of passwords is only as good as the security of the process used to authenticate help desk callers. For instance, in a company where users must enter complex passwords and must change them every day, but where users who forget their password can authenticate to the help desk using the last 4 digits of their social security number, passwords are only as secure as the last 4 digits of a user’s SSN. Password Manager improves user authentication prior to password resets, both self-service and assisted. Users may be required to authenticate with: • A two-factor hardware token. • A biometric voice-print match. • By filling in answers on successive screens to multiple, randomly selected personal questions, some of which are standard (apply to all users), and some of which are personalized (different users have different questions). Using Password Manager, it is possible to make non-password authentication as strong as or stronger than password authentication. 5.2 Password Policy Enforcement Passwords are only a reliable authenticator if they are impractical to guess and are not written down or shared. Password policy rules are used by systems to make sure that users select passwords that are difficult to guess. Hitachi ID Password Manager makes it possible to enforce a single, consistent and strong set of password rules across multiple systems – including on systems that do not natively have a good password policy engine. Password aging is used to force users to change passwords periodically, to limit the window of time available to an intruder who may be in a position to attempt a brute-force password guessing attack. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 10. Password Manager Security Analysis Password Manager can enforce password aging globally, including on systems that do not natively enforce it. 5.3 Password Synchronization Users in a typical mid- to large-sized organization have from 5 to 8 different passwords. These passwords expire on different schedules, and are subject to different password policy rules. As a result, over time, users tend to acquire a collection of different passwords – one per system. Since multiple passwords are difficult to remember, users usually write down their passwords, try to pick easy-to-remember (and so easy-to-guess) password values, and try to avoid password changes. Password synchronization, a core Hitachi ID Password Manager feature, makes it easy for users to manage a single, complex, frequently-changing password value on multiple systems. Managing a single password is much easier than managing 5–8 different passwords, and as a result users tend not to write down their passwords. Password synchronization is an effective antidote for sticky notes with password lists. 5.4 Profile Enrollment Impacts Security In most self-service password reset deployments, users are asked to register personal authentication data (questions and answer pairs), that can subsequently be used to authenticate them. The security of this registration process is just as important as the quality of the authentication profile and user passwords. This is because compromise of the enrollment process would allow an attacker to fill out a user’s profile, and use it to reset that user’s password. For instance, if users register a Q&A profile using a short PIN, then an intruder who can guess or acquire a PIN will be able to register as the user, setup the user’s Q&A profile with information that the intruder can answer, and then use the self-service process to reset the user’s passwords to a value that the intruder knows. The bottom line is that the authentication method used to register data that will be used for self-service password reset must be at least as secure as network passwords. In Hitachi ID Password Manager, users type their current network passwords to authenticate to the regis- tration process, and so the above requirement is met. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 11. Password Manager Security Analysis 6 Server Defenses The Hitachi ID Password Manager server houses some sensitive data, including target credentials and possibly private user profile information, as described in Section 3 on Page 3. To protect this data, the Password Manager includes several layers of defense: 6.1 Operating System Hitachi ID Password Manager is installed on a locked-down, fully patched Windows 2003 server. An important way to secure a server on any platform is to reduce the amount of software that it runs. This eliminates potential sources of software bugs that could be exploited to violate the server’s security. The following services, at most, are needed on the Password Manager server: • DNS Client - Required to resolve host names • Event Log - Core O.S. component • IIS Admin Service - Only required if IIS is used • IPSEC Policy Agent - Core O.S. component • Logical DiskManager - Core O.S. component • Network Connections - Required to manage network interfaces • Plug and Play - Hardware support • Protected Storage - Core O.S. component • Remote Procedure Call (RPC) - Core O.S. component • Removable Storage - Required to open CD-ROM drives • RunAs Service - Core O.S. security component • Security Accounts Manager - Core O.S. security component • TCP/IP NetBIOS Helper Service - Only required if directly managing Windows passwords • Workstation - Only required if directly managing Windows passwords • World Wide Web Publishing Service - Only required if IIS is used If additional services are required during implementation, then Hitachi ID Systems will notify the customer. All other services should be disabled unless there is some specific reason (not related to Password Manager) to enable them. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 12. Password Manager Security Analysis The Password Manager server is not normally a member of a domain. This reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Password Manager server, and from there perhaps compromising other (e.g., non-AD) systems. The Password Manager server can also take advantage of simple packet filtering services in Windows 2003, to block all inbound connections other than those to the web service, as shown in the figure below: A hardened Password Manager server can be port scanned to identify available services. Following is a typical port scan result: delli:/data/idan/vmware/win2ksrv# nmap -sT 192.168.100.8 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.100.8): (The 1551 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 1 second delli:/data/idan/vmware/win2ksrv# nmap -sU 192.168.100.8 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 1459 scanned ports on (192.168.100.8) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 91 seconds © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 13. Password Manager Security Analysis The process table on the same server looks like this: Note: VMWare entries reflect the fact that this sample was taken from a VMWare virtual PC. This server was running with just the mandatory services described earlier. 6.2 Web Server The web server is a required component, as it enables the Hitachi ID Password Manager user interface and SOAP API. It should therefore be carefully protected. Since Password Manager does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content should be removed. If Apache is used, all non-essential modules should be commented out of the configuration rules. If IIS is used, this means removing IISAdmin, Printers, Scripts and similar folders, as shown below: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 14. Password Manager Security Analysis The web server’s scripting, indexing and data access subsystems should likewise be removed: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 15. Password Manager Security Analysis As an extra precaution, remote data services are disabled by removing the following registry keys: • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch RDSServer.DataFactory • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch AdvancedDataFactory • HKLM System CurrentControlSet Services W3SVC Parameters ADCLaunch BusObj.VbBusObjCls ODBC drivers are also all disabled, both manually (remove data sources) and add this entry to the registry: • HKLM Software Microsoft Jet 4.0 engines SandBoxMode = 3 6.3 Password Manager Application If the operating system and web server are made safe from attack, primarily by running a very minimal subset of available software, intruders will seek to attack the Hitachi ID Password Manager application itself. Network-attached applications are frequently attacked using buffer overflow attacks, and by sending them unexpected inputs. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 16. Password Manager Security Analysis Password Manager’s web interface is implemented as a set of self-contained executable programs, com- piled from C++ source code. These programs do not use ASP, JSP or other scripting engines, so are not vulnerable to potential security bugs in those engines. The Password Manager CGI programs are coded very defensively, and check their inputs for overflows, unexpected characters, unexpected string formatting, etc. The Password Manager CGI programs manage session state very carefully. They do not use cookies. Instead, session state is managed by embedding a hidden session key in every web form. Whenever a user submits a web form, the key changes to a new, cryptographically random value. Only the current session key is valid, which means that users must navigate through the application, and are prevented from using the web browser “Back” button. This makes it possible for users to log off from an active session. It also prevents an intruder from using the browser “Back” button to take advantage of a still-active but unattended login session. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
  • 17. Password Manager Security Analysis 7 Communication Defenses Hitachi ID Password Manager sends and receives sensitive data over the network. Its communications include user passwords, target credentials and personal user information. These are all valuable assets that must be defended. Network attacks typically fall into two classes: • Passive attacks, where an intruder listens to a communication stream and extracts useful data from it. • Active attacks, where an intruder abuses either an available network service, or an open communi- cation session. Password Manager’s network services and communication protocols are designed to defend against both types of attacks using cryptography: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
  • 18. Password Manager Security Analysis Communication protocol defenses From To Protocol, encryption algorithm User workstation Password Manager web application HTTPS Windows NT/2000/2003 password filter DLL Password Manager server MTE Unix passwd replace- ment binary Password Manager server MTE zOS/OS390 security exit Password Manager server MTE Sun ONE Directory password filter Password Manager server MTE IBM Directory password filter Password Manager server MTE IVR server (any) Password Manager server MTE Password Manager server Agent on Unix server MTE Password Manager server OS390 native agent MTE Password Manager server RSA ACE native agent MTE Password Manager server RSA Keon native agent MTE Password Manager server Password Manager proxy server MTE Password Manager server Another Password Manager server (for data replication) MTE Password Manager server Other managed system Native protocol. If the target system’s native protocol is insecure, then a proxy server is co-located with the managed system, and communication is carried out via a Password Manager proxy server. In the above table, MTE means “M-Tech Encryption Protocol.” This protocol works as follows: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
  • 19. Password Manager Security Analysis Step Caller Server 1. Open TCP socket 2. Generate and display long random number 3. Encrypt random number using a shared secret key Encrypt random number using a shared secret key 4. Send first half of encrypted result 5. Compare received crypto text to internal calculation 6. If no match: alarm and hang-up. 7. Use second half of encrypted result as initial session key Use second half of encrypted result as initial session key 8. Print greeting string. 9. Send encrypted command string 10. Execute command 11. Print encrypted result string 12. Hang up. Hang up. All encryption is carried out using 128-bit AES, which is an ISO encryption algorithm. 128-bit AES is a military-grade encryption algorithm with no known vulnerabilities. The above analysis shows that – so long as the Password Manager server is configured with an SSL certificate, and setup to require HTTPS client communication; and so long as communication with target systems whose native protocols are weak is protected using judicious use of the Password Manager proxy server – no sensitive data is ever transmitted in plaintext. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
  • 20. Password Manager Security Analysis 8 Data protection The Hitachi ID Password Manager server houses some sensitive data, and this data must be protected against anyone who has physical access to the server, or has a legitimate right to log into it. All sensitive data on the Password Manager server is encrypted, as follows: Data Encryption algorithm Key length Salt? User profiles: answers to personal questions 128-bit AES 128 bits n/a User profiles: password history SHA-1 n/a 64 bits target credentials 128-bit AES 128 bits n/a Help desk user passwords 128-bit AES 128 bits n/a Of the above, the only mandatory data is target credentials for target systems. Everything else may be accessed on other systems, on demand. As a result of this encryption, someone with access to the filesystem of the Password Manager server would not be able to readily decipher sensitive data on that server. They would first have to figure out where the data is stored, then how it is encoded, then how it is encrypted, and then they would have to find a suitable key (itself encrypted, in the Password Manager server’s registry). This provides as much protection as possible to sensitive data on the server, without compromising its functionality. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 17
  • 21. Password Manager Security Analysis 9 The Secure Kiosk Account A Secure Kiosk Account (SKA) enables users to access a self-service password reset application from a workstation login screen without deploying desktop software. The SKA merits its own analysis because it is a password-less guest account on the network operating system (NOS). This analysis illustrates what vulnerabilities the SKA account does, and does not, introduce to overall network security. The SKA is the most deployable and secure technology available to address the problem of providing self- service password reset to users who forget their initial workstation / network login password. Other options are: • Do nothing User continues to call the help desk, authenticates on the telephone, and receives a new password on the telephone. • IVR self-service Similar to doing nothing, but the help desk analyst is replaced by a machine. This option may suffer from poor adoption rates. • Visit a neighbor A web browser is available at another workstation, and the user may be visually authenticated. Only works for crowded work environments, however. • Install desktop software Client software on every desktop. Extremely risky, since a faulty client can expose vulnerabilities on many workstations, or even render them inoperable. • Secure Kiosk Account The solution described here, and the one most often used in Hitachi ID Password Manager deploy- ments: A domain / NOS login account called “help,” with no password is created. A security policy is applied to this account which locks it down, and replaces the default Windows shell with a special network- launched executable that opens the workstation’s default web browser, in kiosk mode, to the self- service password reset web application. The net effect is that users who forget their initial passwords can type “help” to get automated service. There is a unique process for implementing the SKA security policy on each NOS. The various policies implement the same rules, however: 1. Lock the help user out of all local workstation privileges, by disabling every possible aspect of the desktop, including preventing the user from starting command prompt windows, etc. 2. Prevent the help user from accessing any network resources. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 18
  • 22. Hitachi ID Password Manager Security Analysis 3. For Windows 9x workstations, launch a kiosk-mode web browser immediately after starting the Win- dows shell. 4. For Windows NT/2000/XP workstations, launch a kiosk-mode web browser as a replacement shell (instead of the executable that displays the Windows desktop and start menu). In all cases, the kiosk-mode web browser is launched by a program called runurl.exe. This program is loaded from a public network share (typically on the Password Manager server or copied to each DC’s NETLOGON share.) The program locks down the workstation by intercepting certain input event types (key- board, mouse, etc.), finds the default web browser for the workstation in question, and starts it in kiosk mode to the appropriate URL. 9.1 Protected Assets The SKA is a network login ID intended to give users unauthenticated access to a limited set of functionality on their own workstations. Accordingly, the two IT assets that are impacted by the SKA are: 1. User workstations where the SKA is available. 2. Network servers that honor the SKA user’s “authentication.” 9.2 Existing Risks The following risks pre-exist the SKA account, are not repaired by the SKA account, but are worth pointing out for clarity. 9.2.1 Workstation Security Windows workstations are not secure. Windows NT, 2000 and XP workstations do have a security in- frastructure, including password authentication and a filesystem with permissions (NTFS). However, any intruder can restart the workstation with a DOS boot disk, run NTFSDOS, and gain unlimited access to the the filesystem, bypassing authentication and access controls. The above points are intended to highlight the fact that workstations running any version of Windows, without significant enhancements (primarily a cryptographic filesystem unlocked by the login password) are not secure. It follows that the SKA cannot reduce workstation security (from zero). The SKA does implement extensive workstation security features, to prevent a user from abusing the help login to run programs on the workstation, alter its configuration, and so on. These security measures are primarily intended to give the impression f security, since the workstation was insecure before deploying the SKA, and continues to be insecure after SKA was deployed. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 19
  • 23. Hitachi ID Password Manager Security Analysis 9.2.2 Network Infrastructure The SKA account is only accessible to users who already have a working network connection. Without that, they could not login to the domain as any user, even help. Accordingly, a potential intruder who might try to abuse the help account is by definition already in a physical location where he has a working network connection. That means that this intruder can already run packet sniffers, port scanners, and so on. Clearly, the SKA can not and does not prevent these kinds of attacks. 9.2.3 Network Servers The SKA implements a password-less authentication to a Windows NT domain, a Windows 2000/2003 AD domain or an NDS tree. Any system that does not use the authentication infrastructure of the domain where the help account is defined cannot be affected by the SKA. That means that Unix servers, ERP applications, mainframes, minicomputers, and others are not impacted by SKA at all. Firewalls, corporate directories, web servers, network shares and applications may be impacted if (and only if): 1. They do require user authentication. If they do not authenticate users at all, then the help account is not needed to access them. 2. They authenticate users against the NOS directory where SKA was defined. If they authenticate users on a different directory or user database, then help will not have a valid login. 3. They allow sign-on by users with no particular privileges or group membership. Every user defined in the NOS directory where help was defined has access to the application or service in question. If the NOS is Windows 2000/2003, then the help security policy can be configured to prevent even this attack (in particular, help cannot mount Windows 2000/2003 server shares). 9.3 Net New Vulnerability The net result of the above is that the help account opens a new, anonymous access point to public network resources (which were already open to everyone, but without anonymity). Users who used to access public resources with their own IDs will now be able to access those same public systems as “help.” © 2014 Hitachi ID Systems, Inc.. All rights reserved. 20
  • 24. Hitachi ID Password Manager Security Analysis 10 Conclusions This document illustrates that best-practice measures are implemented in the Hitachi ID Password Manager software, to protect it against direct attack, to protect its communications, and to protect its data. This document also highlights the fact that Password Manager is a sensitive server, and should be managed carefully. In particular, it should be installed on a locked-down server, and managed with close attention to security. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/psynch/documents/security_analysis/psynch_security_analysis_5.tex Date: November 20, 2006