[unisog] Remote Access Problem

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Feb 23 17:42:43 GMT 2007


On Fri, 23 Feb 2007 18:40:19 +0200, avi shvartz said:

>  We have a sub-contractor that develops software in his own lab, not in our campus.
> 
>  However, the computers in his lab are controlled by us, connected to our
> Active Directory, and
>    the developers are logging using smart card windows authentication. 
> The security people raised a concern that a developer can copy the disk
> image and log on
>   using his smart card from a different computer, outside the lab.

Ya know, that smart card is going to have a *really* hard time authenticating
against your AD servers if your AD servers are firewalled off from the majority
of the internet.  If you do something like this:

deny all
allow from <your first address range here>
allow from <your second/etc address range>
allow from <the address range of their lab>

they'll have a hard time logging in from anywhere else.

Odd that your security guys were worried about the card logging in from
elsewhere, but didn't suggest this right off the bat...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070223/5d857c28/attachment.bin 


More information about the unisog mailing list