privilege timeout

G

Guest

I am trying to configure a handful of Windows file servers to timeout user
connections (like mapped drives) after a certain amount of idle time and make
the user reauthenticate after that time is up. This is trying to mitigate the
problem where a user authenticates to a sensitive file server and then walks
away from the computer. I do not want to have their computer automatically
lock itself...I just want that session to the sensitive file server to
timeout and require reauthentication.

My first thought was to have the user's kerberos tickets expire if they're
logged on as a domain user. I was able to change the domain GPO to
successfully get the tickets expiring, however, the session tickets were
automatically reissued if the user tried to connect to the same file server
after the ticket expired. Is this due to any sort of credentials caching
that can be disabled? (sort of like q299656, perhaps?) Again, my goal is to
have these session tickets expire and make the user reauthenticate to
generate them again, but I do not want the user to get logged out of their
local domain login session.

If the above problem could be solved that would at least solve some of my
problems. However, my corporation needs to be able to support employee's
accessing these file servers from personal laptops that are not part of the
domain either locally or remotely through VPN. I understand that in these
cases NTLMv2 is used instead of Kerberos for authentication. Is there anyway
to get Kerberos authentication to work in these situations (the user is
logging on from a non-domain computer, though they will authenticate using
their domain user account) using either built-in Windows Kerberos support or
some third party option (MIT's Leash for example)? If not, is there anyway
to get sessions authenticated using NTLMv2 to timeout and require
reauthentication?

Thanks in advance for your help!

Chris
 
D

Doug Frisk

Chris said:
I am trying to configure a handful of Windows file servers to timeout user
connections (like mapped drives) after a certain amount of idle time and
make
the user reauthenticate after that time is up. This is trying to mitigate
the
problem where a user authenticates to a sensitive file server and then
walks
away from the computer. I do not want to have their computer
automatically
lock itself...I just want that session to the sensitive file server to
timeout and require reauthentication.
Click to expand...

I see no point in what you're attempting to accomplish. You can tweak the
TCP parameters to cause the TCP session to time out, but when someone
*anyone* sits down at the client and attempts to access that timed out
session, the client will transparently reconnect using the same credentials
it had.

Yes, *at the server* the client will be re-authenticated, but at the client
the cached credential information is still there.
 
R

Ryan Hanisco

What you are trying to do is duplicate the functionality of a security or
document management system. You can't expect the OS to do absolutely
everything. You'll either need to write a program or invest in a DMS.
 
R

Roger Abell

In addition to both valid responses so far, I believe that
you should address with those specifying this requirement
that it is, although not totally useless, window-dressing of
sorts. The client machine security, and/or digital rights
contraints on the documents, should be addressed.
You can go through hoops trying to effect object of your
initial posting but still have not addressed fact that they
can copy all docs to which they have access onto their
desktop/laptop and then walk off leaving that client and
the sensitive docs available to those that walk past.
 
D

Doug Frisk

Roger Abell said:
In addition to both valid responses so far, I believe that
you should address with those specifying this requirement
that it is, although not totally useless, window-dressing of
sorts. The client machine security, and/or digital rights
contraints on the documents, should be addressed.
You can go through hoops trying to effect object of your
initial posting but still have not addressed fact that they
can copy all docs to which they have access onto their
desktop/laptop and then walk off leaving that client and
the sensitive docs available to those that walk past.
Click to expand...

Ohh, good thinking. Rights management: [
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
 
R

Roger Abell

Doug Frisk said:
Roger Abell said:
In addition to both valid responses so far, I believe that
you should address with those specifying this requirement
that it is, although not totally useless, window-dressing of
sorts. The client machine security, and/or digital rights
contraints on the documents, should be addressed.
You can go through hoops trying to effect object of your
initial posting but still have not addressed fact that they
can copy all docs to which they have access onto their
desktop/laptop and then walk off leaving that client and
the sensitive docs available to those that walk past.
Click to expand...

Ohh, good thinking. Rights management: [
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
Click to expand...

Hi Doug (long time since I was MCT. . .)

Right on, Digital rights management systems are a solution
currently in search for adoptors, but one which addresses
a very real set of needs not easily otherwise satisfied.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kerberos requesting services using wrong user.... 1
Kerberos using wrong username to request tickets and services. 1
Kerberos tickets and group membership 1
537 errors due to manual services being started 0
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Windows 2003 domain authentication protocols 1
Ports Required for client authentication to AD 2
Event ID 594 1

Top