Educause Security Discussion mailing list archives
Re: Two Factor Windows Shares
From: Rich Graves <rgraves () CARLETON EDU>
Date: Thu, 25 Aug 2011 09:17:38 -0500
I want to have a file server (preferably Windows) where the shares are protected by two factor authentication. The share would have permissions assigned to Active Directory users as a normal file share would. But if the user goes to the share I want it to prompt them for non-AD credentials such as a finger print.
Windows really isn't built to do that, but you could replace Windows or add layers. For a (nearly) 100% Windows solution, you could require end-to-end IPSec. Depending on your requirements, IPSec could be authenticated with either machine certificates or smartcards. Another approach would be to make the server available only from a locked-down network requiring 802.1x with certificates or smartcards. Whether that's easier or harder than IPSec depends on your staff. Conceptually, the simplest answer, if you consider running a domain-joined Samba server to be simple, would be a preexec script that triggers a DuoSecurity.com or PhoneFactor.com callback upon connection to the share, and kills the connection on failure. See http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html for some hints about preexec. There are many other vendors in this space, but PhoneFactor is the most well-known and DuoSecurity is my current favorite. Other approaches include a VPN in front of the server, and something like PGP NetShare/WinMagic SecureDoc File & Folder on top of it. I don't know of any free/cheap data-at-rest crypto that supports two-factor auth, but hiding a file server behind OpenVPN with DuoSecurity, WiKID, or Yubikey is free or nearly free. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Current thread:
- Two Factor Windows Shares Daniel Bennett (Aug 22)
- Re: Two Factor Windows Shares Rich Graves (Aug 25)
- <Possible follow-ups>
- Re: Two Factor Windows Shares Joe St Sauver (Aug 25)
- Re: Two Factor Windows Shares Dan Peterson (Aug 25)
- Re: Two Factor Windows Shares Rich Graves (Aug 25)
- Re: Two Factor Windows Shares Dan Peterson (Aug 25)