Strong Authentication to any Application Using SecureLogin and NMAS TM Scott Kiester and John Jolly Software Engineer Novell, Inc.

© March 9, 2004 Novell Inc. 2 one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions. The one Net vision Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 9, 2004 Novell Inc. 3 The one Net vision Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably. Novell Nsure ™ Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 9, 2004 Novell Inc. 4 What we'll cover ✔ SecureLogin and NMAS Basics ✔ LDAP Authentication ✔ Using Biometric Devices ✔ SecureWorkstation ✔ Citrix Integration ✔ Establishing Password Policies ✔ Using Scripts for Advanced Authentication ✔ Questions and Answers

© March 9, 2004 Novell Inc. 5 SecureLogin and NMAS Basics What is SecureLogin? Provides Single Sign-On Capabilities Machine-Local and Network Cache Storage Administrative Password Control What is NMAS (Novell Modular Authentication Service)? Allows Authentication Beyond Username/Password – Provides Interface for Third-Party Authentication Products – Improves Security Through Multiple Authentication Factors

© March 9, 2004 Novell Inc. 6 LDAP Authentication Why LDAP? Open Standard Supported by eDirectory NMAS Provides Authentication Via LDAP Features NMAS Authentication WinNT GINA Login Contextless User Search SecureLogin Integration Citrix Support

© March 9, 2004 Novell Inc. 7 Using Biometric Devices Requirements NMAS must be installed. LDAPAuth must be used. With NMAS on the server and methods on the client that complete sequences on the server, NMAS will work. All NMAS communications done via secure LDAP port. No Novell Client32 Needed!

© March 9, 2004 Novell Inc. 8 Secure Workstation What is SecureWorkstation? Service that runs on Windows 2000 and Windows XP “Locks down” the workstation when the user leaves Helps prevent unauthorized access to applications Quickly switch between users on the same workstation

© March 9, 2004 Novell Inc. 9 Secure Workstation Events Events that Secure Workstation detects: User inactivity timeout Removal of an authentication device (Smart Card, Proximity Card, etc.) Network Logout Event (Client32 or LDAP) – Secure Workstation detects when the user has been logged out of the network Manual Lock Event – User clicks the “Logout” button on the Secure Workstation Quick Login/Logout Interface – Provides a quick logout when no authentication devices have been deployed

© March 9, 2004 Novell Inc. 10 Secure Workstation Actions Actions taken by Secure Workstation when an event is detected: Lock the Workstation Log out of the Workstation (Log out of Windows) Log out of the Network (Client32 or LDAP) Close Programs Log out of the Network and Close Programs

© March 9, 2004 Novell Inc. 11 Secure Workstation Policy The policy tells Secure Workstation which action to take when it detects an event Two actions are associated with each event – Action for the local console session – Action for remote Citrix/Terminal Services clients Secure Workstation cannot lock the workstation in a remote session, so it will disconnect the session instead

© March 9, 2004 Novell Inc. 12 Policy Configuration Use the “Secure Workstation Policy Editor” to configure a policy for the workstation. The policy editor can be found in the Novell SecureLogin program group.

© March 9, 2004 Novell Inc. 13 Inactivity Timeout Event Specify the duration of user inactivity before an inactivity timeout event is triggered Warn the user a few seconds before the event is triggered – A dialog will be displayed – A wav file and avi file may be played

© March 9, 2004 Novell Inc. 14 Device Removal Event Specify which devices must be present A device removal event will be triggered when one of the devices is removed

© March 9, 2004 Novell Inc. 15 Program List Used with “Close All Programs” action Environment variables may be used

© March 9, 2004 Novell Inc. 16 Post-Policy Command A command that will be executed after the action has been taken May be used to display a login dialog for the next user – Use loginw32.exe for Client32 – Use nldaplgn.exe for LDAP Auth

© March 9, 2004 Novell Inc. 17 Secure Workstation Network Policy The Network Policy is a Secure Workstation Policy that is stored in eDirectory and configured using ConsoleOne. The Network Policy contains the same settings as the Local Policy An NMAS Post-Login Method delivers the policy to the workstation A different policy may be configured for each NMAS Login Sequence that contains the Secure Workstation Post-Login Method – Use NMAS to set login sequence restrictions – Use NMAS to assign a default login sequence

© March 9, 2004 Novell Inc. 18 Secure Workstation Effective Policy The Effective Policy is the policy that Secure Workstation enforces. The Effective Policy is created by combining the Local Policy with the Network Policy – The most secure settings from each policy are used If either the Network Policy or the Local Policy is inactive, then the Effective Policy will be a copy of the active policy If both the Network Policy and the Local Policy are inactive, then the Effective Policy will also be inactive – Secure Workstation will not do anything when the Effective Policy is inactive

© March 9, 2004 Novell Inc. 19 Viewing the Effective Policy Use the “View Effective Policy” button to view the settings in the Effective Policy The Effective Policy for the current Citrix/Terminal Services session will be displayed

© March 9, 2004 Novell Inc. 20 Why Combine Policies? Meet the minimum security requirements of both the user and the workstation. Example: A doctor may not need an inactivity timeout when using the workstation in his office, but should have one when using a workstation in a public area. De-active the Inactivity Timeout Event in the Network Policy for the doctor Activate the Inactivity Timeout Event in the Local Policy on workstations in public areas

© March 9, 2004 Novell Inc. 21 The Quick Login/Logout Interface Provides fast and convient way for users to lock the workstation or trigger a Manual Lock Event The “Lock Workstation” button locks the workstation The “Logout” button is bound to the Manual Lock Event in the Effective Policy

© March 9, 2004 Novell Inc. 22 Quick Login/Logout Interface Customize the Quick Login/Logout Interface using settings in the registry. See TID for more information.

© March 9, 2004 Novell Inc. 23 Citrix Integration - Today Most NMAS methods that require an authentication device, such as a smart card or fingerprint reader, will not work Secure Workstation will not detect device removal events from most devices

© March 9, 2004 Novell Inc. 24 Citrix Integration – Virtual Channels NMAS and Secure Workstation will use a virtual channel to communicate with authentication devices. Same user experience with a Citrix Client as when logged on locally Available in an upcoming release of SecureLogin Will require a Citrix ICA 6.0 or later client (Windows Terminal Services Clients not supported in this release) The following components will use virtual channels: – NMAS – Secure Workstation – pcProx Proximity Cards (software is provided with SecureLogin)

© March 9, 2004 Novell Inc. 25 Citrix Integration – The Solution

© March 9, 2004 Novell Inc. 26 Citrix Integration - pcProx The pcProx method uses a virtual channel to scan the card. User identification over the virtual channel work with both Client32 and LDAP Auth

© March 9, 2004 Novell Inc. 27 Citrix Integration - NMAS NMAS Authentication will be redirected over the virtual channel. NMAS methods execute on the ICA client, where the authentication devices are NMAS calls SecureLogin to redirect the authentication – An NMAS 2.3 client is required – An NMAS 2.3 server is required if the user is logging in through Client32 – Client32 is not required on the client, even if users will be logging in through Client32 on the Citrix server

© March 9, 2004 Novell Inc. 28 Citrix Integration – NMAS ICA Protocol ICA Client Citrix Server Client32 / LDAP Auth NMAS Client Virtual Channel Proximity Card Fingerprint Reader Smart Card SecureLogin Login Client Method NMAS Client eDirectory Server NMAS Server Login Server Method NCP/LDAP

© March 9, 2004 Novell Inc. 29 Citrix Integration – Secure Workstation Secure Workstation uses the virtual channel to detect device removal events. Each device that integrates with Secure Workstation must provide a module that reports device removal events – Vendor-provided modules will execute on the ICA client, instead of the Citrix server ICA Protocol ICA Client Citrix Server Proximity Card Secure Workstation Virtual Channel Smart Card Secure Workstation

© March 9, 2004 Novell Inc. 30 Establishing Password Policies Create a Password Policy Admin Console Local Login Manager In the script: Use RestrictVariable ChangePassword will enforce policy – Even more secure, use Random modifier on ChangePassword command.

© March 9, 2004 Novell Inc. 31 Using Scripts for Advanced Auth Most Applications Require a Username/Password Not the most secure method of authentication SecureLogin with NMAS can improve the authentication security of these programs Use the AAVerify script command to call NMAS Autogenerate a random password after each successful authentication

© March 9, 2004 Novell Inc. 33 General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.