Anyone use usb logon keys?

[Guest]

Anyone use or have seen the USB logon keys. I am considering them for use
here and need feedback. We aren't a nuclear site or anything, We just have
careless users who leave thier machine logged in all the time because they
don't want to remember thier strong password. These keys would fix that.
Advice and counsel?

 

[Vanguard]

Anyone use or have seen the USB logon keys. I am considering them for use
here and need feedback. We aren't a nuclear site or anything, We just have
careless users who leave thier machine logged in all the time because they
don't want to remember thier strong password. These keys would fix that.
Advice and counsel?

And how do USB keys that have the password recorded on them improve security
or force logoffs? The users will just leave the USB stick in the USB port
all the time. That means they will still always be logged in. That also
means that anyone can come along and grab the USB stick, copy its contents,
and [maybe] return it to hide that they stole the password. As far as
logging them off, why are you pushing a policy which has them forced off
after so many minutes of inactivity?

 

[Paul Adare]

microsoft.public.windows.server.security news group, Vanguard

And how do USB keys that have the password recorded on them improve security
or force logoffs? The users will just leave the USB stick in the USB port
all the time. That means they will still always be logged in. That also
means that anyone can come along and grab the USB stick, copy its contents,
and [maybe] return it to hide that they stole the password. As far as
logging them off, why are you pushing a policy which has them forced off
after so many minutes of inactivity?

The USB keys being referred to here are USB form factor smart cards (or
some other type of two factor auth like RAS SecureID). They do not
contain passwords and you cannot simply copy off the authentication
mechanism.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[G3Sys]

Hi,

You could enforce a Group Policy which automatically locks their
machines after a set amount of time inactive (30 minutes?). They then
need to re-enter the password to get back in. Kind of like logging on -
but much quicker.

 

[Guest]

I'm not logging them off after so many minutes ( don't know where that came
from) , they leave themselves logged on for days or weeks at a time.
sometimes ina public area.

As far as the USB key goes,. I don' t mean a USB drive, I mean a USB key.
Significant difference there.

Anyone use or have seen the USB logon keys. I am considering them for use
here and need feedback. We aren't a nuclear site or anything, We just
have careless users who leave thier machine logged in all the time
because they don't want to remember thier strong password. These keys
would fix that.
Advice and counsel?

And how do USB keys that have the password recorded on them improve
security or force logoffs? The users will just leave the USB stick in the
USB port all the time. That means they will still always be logged in.
That also means that anyone can come along and grab the USB stick, copy
its contents, and [maybe] return it to hide that they stole the password.
As far as logging them off, why are you pushing a policy which has them
forced off after so many minutes of inactivity?

 

[Guest]

Yes, thats one of them, but I think that is for remote use, and I am looking
for local use.
Do you have any experience with these? or other types?
Are they only for the rich and famous or can mere mortals afford these
things?

microsoft.public.windows.server.security news group, Vanguard

And how do USB keys that have the password recorded on them improve
security
or force logoffs? The users will just leave the USB stick in the USB
port
all the time. That means they will still always be logged in. That also
means that anyone can come along and grab the USB stick, copy its
contents,
and [maybe] return it to hide that they stole the password. As far as
logging them off, why are you pushing a policy which has them forced off
after so many minutes of inactivity?

The USB keys being referred to here are USB form factor smart cards (or
some other type of two factor auth like RAS SecureID). They do not
contain passwords and you cannot simply copy off the authentication
mechanism.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Guest]

Yes but thats gonna tick them off more, if the key is on their car keys then
they will take them home and also not leave thier keys laying around. A form
of social engineering I suppose.

 

[Kerry Brown]

Anyone use or have seen the USB logon keys. I am considering them for
use here and need feedback. We aren't a nuclear site or anything, We
just have careless users who leave thier machine logged in all the
time because they don't want to remember thier strong password. These
keys would fix that. Advice and counsel?

I have one customer using smart card readers connected to a serial port. The
users were loosing/misplacing the cards or merely forgetting them in their
other purse/pocket etc.. Management didn't like the hassle of getting new
cards and of employees borrowing other users cards to logon. The employees
started leaving the card in the reader all the time so it was next to
useless as a security feature. They have quit using them except for access
to payroll data with only three users in the same office currently using
them. Unless you have a workaround in place for someone who shows up without
one my experience is they are only useful where very high security is needed
and enforced.

Kerry

 

[Vanguard]

Yes but thats gonna tick them off more, if the key is on their car keys
then they will take them home and also not leave thier keys laying around.
A form of social engineering I suppose.

You're weird. My car keys are not welded together (to each other or to my
other keys). It's real easy to slide off a car from the ring. In fact, you
can buy those little disconnectable rings so, for example, you could start
your car and leave it running but lock the doors so you can sit inside while
your car warms up.

If you want to enforce a policy, then push policies.

 

[G3Sys]

Sorry,

Just thought of that as an idea for securing the computer if they leave
themselves logged in (I thought that was the issue?). It doesn't log
them off - just lock's the machine.

I'm not logging them off after so many minutes ( don't know where that came
from) , they leave themselves logged on for days or weeks at a time.
sometimes ina public area.

As far as the USB key goes,. I don' t mean a USB drive, I mean a USB key.
Significant difference there.

Anyone use or have seen the USB logon keys. I am considering them for use
here and need feedback. We aren't a nuclear site or anything, We just
have careless users who leave thier machine logged in all the time
because they don't want to remember thier strong password. These keys
would fix that.
Advice and counsel?

And how do USB keys that have the password recorded on them improve
security or force logoffs? The users will just leave the USB stick in the
USB port all the time. That means they will still always be logged in.
That also means that anyone can come along and grab the USB stick, copy
its contents, and [maybe] return it to hide that they stole the password.
As far as logging them off, why are you pushing a policy which has them
forced off after so many minutes of inactivity?

 

[Guest]

thanks for your help

You're weird. My car keys are not welded together (to each other or to my
other keys). It's real easy to slide off a car from the ring. In fact,
you can buy those little disconnectable rings so, for example, you could
start your car and leave it running but lock the doors so you can sit
inside while your car warms up.

If you want to enforce a policy, then push policies.

 

[Guest]

No problem.
I have seen these things around somewhere and just got a quote from SecureID
for about $200+ per user. I guess that pretty much settles that issue for me
at least.

Sorry,

Just thought of that as an idea for securing the computer if they leave
themselves logged in (I thought that was the issue?). It doesn't log
them off - just lock's the machine.

I'm not logging them off after so many minutes ( don't know where that
came
from) , they leave themselves logged on for days or weeks at a time.
sometimes ina public area.

As far as the USB key goes,. I don' t mean a USB drive, I mean a USB key.
Significant difference there.

Anyone use or have seen the USB logon keys. I am considering them for
use
here and need feedback. We aren't a nuclear site or anything, We just
have careless users who leave thier machine logged in all the time
because they don't want to remember thier strong password. These keys
would fix that.
Advice and counsel?



And how do USB keys that have the password recorded on them improve
security or force logoffs? The users will just leave the USB stick in
the
USB port all the time. That means they will still always be logged in.
That also means that anyone can come along and grab the USB stick, copy
its contents, and [maybe] return it to hide that they stole the
password.
As far as logging them off, why are you pushing a policy which has them
forced off after so many minutes of inactivity?

 

[Guest]

I imagine I would face the same issue. Alas, since the users don't bear the
responsibility, there is no real solution I guess. Thanks for the feedback.

 

[Kerry Brown]

The best option I've found is a carefully thought out OU and security group
structure with group policies defining what is needed for passwords and NTFS
permissions restricting access to sensitive shares for groups that don't
need strong passwords. Combined with a strictly enforced company policy
manual it's the best option I've found. There has to be an escalating series
of consequences for people who bypass company policy. Here are some links to
some possible solutions but they all have some compromises.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314999&sd=tech

http://www.microsoft.com/technet/pr...elp/d911f5f4-7469-4f44-8fde-ff8b1ed87ab6.mspx

http://windowsxp.mvps.org/winexit.htm

http://www.windowsitpro.com/Windows/Article/ArticleID/9676/9676.html

Kerry

 

[Guest]

Thanks for the links, I'll look into them.

The best option I've found is a carefully thought out OU and security
group structure with group policies defining what is needed for passwords
and NTFS permissions restricting access to sensitive shares for groups
that don't need strong passwords. Combined with a strictly enforced
company policy manual it's the best option I've found. There has to be an
escalating series of consequences for people who bypass company policy.
Here are some links to some possible solutions but they all have some
compromises.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314999&sd=tech

http://www.microsoft.com/technet/pr...elp/d911f5f4-7469-4f44-8fde-ff8b1ed87ab6.mspx

http://windowsxp.mvps.org/winexit.htm

http://www.windowsitpro.com/Windows/Article/ArticleID/9676/9676.html

Kerry

 

[Roger Abell [MVP]]

You would still end up with a higher cost "solution" that does
not solve the problem you have stated - people walking away
and leaving their machines logged in and available for use.
For that you should, as has been stated, use policy.
Not only should you be using the GPO policies to lock up
machines after a short time of inactivity, but you should also
address this with employee policy stating acceptible computer
usage. Even with a form of smart card login, with the policy
defined to log the user off with the card removed, you will
need employee policy to enforce upon them that they must
remove the card when not present.

Yes, thats one of them, but I think that is for remote use, and I am
looking for local use.
Do you have any experience with these? or other types?
Are they only for the rich and famous or can mere mortals afford these
things?

microsoft.public.windows.server.security news group, Vanguard

And how do USB keys that have the password recorded on them improve
security
or force logoffs? The users will just leave the USB stick in the USB
port
all the time. That means they will still always be logged in. That
also
means that anyone can come along and grab the USB stick, copy its
contents,
and [maybe] return it to hide that they stole the password. As far as
logging them off, why are you pushing a policy which has them forced off
after so many minutes of inactivity?

The USB keys being referred to here are USB form factor smart cards (or
some other type of two factor auth like RAS SecureID). They do not
contain passwords and you cannot simply copy off the authentication
mechanism.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Will]

If you are going to use an insecure method like a USB key, a method that is
more convenient and at least a little bit more secure is to use a proximity
sensor tied to the same HID badge used for physical access to the building.
You can be sure no user is going to walk anywhere without the HID badge in
his wallet or around her neck. When the user walks away from the terminal,
the screensaver almost immediately takes hold, and when the user returns,
the screensaver goes off on its own simply because of the proximity sensor
picking up the presence of the badge.

http://www.honeywellaccess.com/products/readers/log/18597.html

I would get interested in something like this if they would combine it with
a biometric sensor. The odds that someone could both steal your card
without you detecting it quickly and also fake your fingerprint would be
extremely slim. Unless you are in a very high security environment,
something that combines a physical token that is sensed by proximity with a
personal identifier is probably a reasonable combination of convenience and
security.

 

[Paul Adare]

microsoft.public.windows.server.security news group, Will <westes-
(e-mail address removed)> says...

If you are going to use an insecure method like a USB key,

Sorry, but a USB two factor authentication device is not an "insecure
method" and I really don't understand why you feel that they are not
secure. They are just as secure as smart cards, in fact, they are smart
cards in a different form factor.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Ca·nadi·an (k-nd-n) adj. & n.
n: An educated, unarmed American with health care.

 

[Will]

The original poster said nothing about two factor authentication. He was
proposing a USB key. Obviously end users will just leave those in the
computer 100% of the time and the result is not a secure entry to the
computer.

The nice thing about the proximity sensor is that the employee will
certainly remove the HID card when he leaves the computer because he won't
be able to move around if he leaves it in the computer. And a proximity
sensor is slightly more convenient than inserting a card.

 

[Paul Adare]

microsoft.public.windows.server.security news group, Will <westes-
(e-mail address removed)> says...

The original poster said nothing about two factor authentication. He was
proposing a USB key. Obviously end users will just leave those in the
computer 100% of the time and the result is not a secure entry to the
computer.

Exactly how would you propose to use a USB device to log onto a computer
if it isn't a two-factor auth device? That's exactly what the OP was
referring to. You can't use a USB memory device to log on to a computer,
they are simply storage devices.

What exactly do you think was being referred to in this thread?

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Ca·nadi·an (k-nd-n) adj. & n.
n: An educated, unarmed American with health care.