Thursday, August 14, 2008

Pointsec for PC: WIL vs SSO vs NLA

One of my major projects for the year was leading classes on how to install and administer Pointsec for PC. One of the areas that we always spend a lot of time on is the difference between Windows Integrated Login (WIL) and Single Sign On (SSO). This also leads to quite a bit of discussion on the merits of each option.

Today I was looking at some of the older blog postings and I noticed that a few weeks ago someone had posted a question in the comments section. I'll quote from the comment:
What is your view in the WIL vs. Pre-boot debate? In light of the cold boot and firewire tools recently posted, do you believe Pre-boot is better? Or will it just encourage users to leave their machines turned on to avoid the inconvenince of the pre-boot login?
The answer to this question largely depends on the culture of the organization that you work for and how much power the IT department has in the organization. But before we get into the political side of SSO and WIL, let's talk about the technical merits.

The biggest advantage to using Windows Integrated Login is that you have configured Pointsec to be nearly transparent to the end user. The user will be pleased that he is able to log in at the same screen that he always did using the same password that he always did. There isn't anything new to learn and there aren't any scary screens that he hasn't seen before. However, you're sacrificing security to gain that usability. Consider this, if your computer boots directly into Windows without going through the Pre-Boot authentication then you're opening yourself up to any attack that could penetrate your Windows machine. Time is on your attackers side in this scenario. For example, let's say that I steal your computer and it is configured to use WIL. I might decide to leave it shut down in a drawer for six months to see what vulnerabilities are released. After a really good remote vulnerability is released, I can boot up your computer (which hasn't been patched in six months) and attack it over the network with some newer exploit code. A perfect example is the winlockpwn tool, which takes advantage of firewire's weak security model. Even if a patch were released, I now know that your computer is vulnerable to this attack, so I win.

Single Sign On is much more secure than WIL, but of course security comes at a price. With SSO the computer actually boots into a Pre-Boot Environment, a 32 bit super bare-bones operating system. Once the user has successfully authenticated in the Pre-Boot Environment then Windows is loaded. The security of the Pre-Boot Environment comes from it's stripped down nature. Obviously you can't use Windows exploits against the system because Windows isn't running yet. You can't really use any network attacks against it because the network stack is barely functioning. Firewire isn't active, so you're not going to be using that tactic to get into the system either. Single Sign On also securely caches the credentials that the user logs in with so that he doesn't have to log in twice. All this security comes at a price though. For one thing, you have to make sure that your users don't freak out when they see a new screen to log in to. That means that you're going to have to invest in training. It's also possible for the passwords to fall out of sync, which can be difficult for users to understand. If you change your password from within Windows, then Pointsec will automatically updated the Pre-Boot Environment Password, but if you have your password reset at the server then you still have to log in one time with the old password. Users might not understand that a password reset at the server doesn't magically make it into the Pointsec local database.

Is there a way to strike a balance between these two options? Well, maybe. Network Location Awareness is a feature that was added to Pointsec around version 6.2. The idea behind NLA is that you only need the added protection of the Pre-Boot Envionrment if your laptop is in an unsafe location. So you provide Pointsec with some IP addresses on your local network. When the computer boots Pointsec will attempt to reach these IP addresses, and if it is successful then it will bypass Pre-Boot authentication and load Windows. If not, then the user will have to authenticate in the Pre-Boot Environment.

You of course will have to decide which of these options works best for you. Do you need the enhanced security of SSO? Do your users have enough political power to force you into using WIL? Are they too easily confused to deal with NLA? One thing I've never heard is someone complaining that Pointsec gives you a lack of options.

1 comment:

Nyllet said...

If you judge the two options security wise you should always use the SSO option.

Think about it yourself, in order to boot Windows you need to access data on the hard drive (meaning you can read information on the hard drive without providing any authentication). When using SSO you only access to data within the Pre-boot environment. As long as the users knows what username and password to type in the Pre-boot this isn't stranger then entering the username and password when logging into Windows. However, earlier you had to use a temp user account in order to create different users on different machines, but with the latest version there is a new interesting option for deployment called "User Acquisition" (I mentioned in another comment as well). This allows you to configure the endpoint to use WIL until a user has logged into windows. Then the authentication data is fetched and a Pointsec user with the same username and password is created and WIL can be turned off.

Regarding SSO and how to explain to users why passwords can go out of sync. Start off by explaining how it works in the Windows environment. That all their usernames and passwords (don't fall into the trap here to start explaining password hashes here) resides on a server. When they first log in on the laptop that server will validate their username and password. If they later start their computer without network access they will still be able to log in with their username and password due to the fact that their username and password have been cached locally. So, if helpdesk changes their username and password on the server with their usernames and passwords, if their computer isn't connected to any network they'll still validate their username and password against the locally cached data which means they need to use the old password. The same thing can be said about the pre-boot, it is only a locally cached copy of their last known authentication data and it won't be updated until they have network access again which requires that they have access to their hard drive.