[unisog] Remote Access Problem

Michael Holstein michael.holstein at csuohio.edu
Fri Feb 23 17:09:59 GMT 2007


This is exactly what TPM is supposed to address, but it's not totally 
implemented end-to-end in any product yet AFIK.

If you really don't trust the person you should consider using Citrix or 
the like so they never have physical access to anything -- just the 
application front-end. You can still do smartcards with Citrix.

VPN hardware devices are another way to lock-down the physical location. 
As long as the link is reliable, you could automatically revoke a 
certificate when the link goes down, and keep the hardware in a locked 
case. The revocation prevents removal of the VPN device *and* a PC image.

There are tons of ways to address it, and a way to defeat each of them. 
I guess the most obvious answer is that at some point, you've got to 
exercise some level of trust.

Remember .. locks (of any variety) only keep honest people honest.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
avi shvartz wrote:
> Hello list,
> 
>  
> 
>  We have a sub-contractor that develops software in his own lab, not in 
> our campus.
> 
>  However, the computers in his lab are controlled by us, connected to 
> our Active Directory, and
>    the developers are logging using smart card windows authentication.
> 
>  
> 
> The security people raised a concern that a developer can copy the disk 
> image and log on
>   using his smart card from a different computer, outside the lab.
> 
>  
> 
> Is there a way to overcome this issue ? example: tight the system to 
> some physical attribute of the compute ?
> 
>  
> 
> We do take care of regular application level backup so we are willing to 
> "pay the price" and reinstall the
>    operating system etc. in case that the hardware will fail.
> 
>  
> 
> Regards,
> 
> Avi
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog


More information about the unisog mailing list