Re: Two Factor Windows Shares

[Rich Graves <rgraves () CARLETON EDU>]

> I want to have a file server (preferably Windows) where the
> shares are protected by two factor authentication. The share
> would have permissions assigned to Active Directory users as
> a normal file share would. But if the user goes to the share
> I want it to prompt them for non-AD credentials such as a
> finger print. 

Windows really isn't built to do that, but you could replace Windows or add layers.

For a (nearly) 100% Windows solution, you could require end-to-end IPSec. Depending on your requirements, IPSec could 
be authenticated with either machine certificates or smartcards.

Another approach would be to make the server available only from a locked-down network requiring 802.1x with 
certificates or smartcards. Whether that's easier or harder than IPSec depends on your staff.

Conceptually, the simplest answer, if you consider running a domain-joined Samba server to be simple, would be a 
preexec script that triggers a DuoSecurity.com or PhoneFactor.com callback upon connection to the share, and kills the 
connection on failure. See http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html for some hints about preexec. 
There are many other vendors in this space, but PhoneFactor is the most well-known and DuoSecurity is my current 
favorite.

Other approaches include a VPN in front of the server, and something like PGP NetShare/WinMagic SecureDoc File & Folder 
on top of it. I don't know of any free/cheap data-at-rest crypto that supports two-factor auth, but hiding a file 
server behind OpenVPN with DuoSecurity, WiKID, or Yubikey is free or nearly free.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529