Ken posted a great article about how to configure OWA for ADFS authentication: http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html
Archive for the ‘Identity and Access’ Category
Posted by BPuhl on October 15, 2010
Posted by BPuhl on October 14, 2010
I often talk about my perspective that AD is a great publishing engine, but that it should not be authoritative for anything. Any mission critical data should be mastered outside of AD, and then sync’d into the directory to be published/consumed.
The problem with this, is when you have services which source their information in AD directly, but that data is still mission critical. One example of this, would be BitLocker Drive Encryption recovery keys. The BDE service on clients will write it’s recovery keys directly into AD.
Before MSIT broadly deployed Bitlocker, we worked with an internal team to build a solution for finding new BDE recovery keys, and copying them out of AD into an external store. We even went a step further, and put some self-service recovery options in front of that store.
I’m happy to see that MSIT was able to publish this solution out to Codeplex, so we can share it with everyone.
If you’ve got Bitlocker deployed in your environment, but are ONLY storing the recovery keys in AD – you may want to take a look.
Posted by BPuhl on May 5, 2010
Released To Web:
Posted by BPuhl on February 13, 2010
At least let it be a good password: http://www.cxo.eu.com/news/password-protected/
Posted by BPuhl on January 20, 2010
Read an interesting article at http://redtape.msnbc.com/2008/08/almost-everyone.html on the issues/weaknesses of password recovery schemes.
Most everyone remembers when Sara Palin’s Yahoo mail account was hacked, because her password recovery questions were easily discoverable. One thing that I thought was interesting in the article though, was the idea of a “black market” for personal information – let me go buy a profile to find out the name of your dog, your favorite restaurant, etc… How would people come up with this information in the first place, are there secret spies in black trench coats following everyone around taking notes on everything they do? I have no idea…
…in other seemingly unrelated news – has anyone else taken all those funny Facebook quizzes where you answer questions about yourself, and they tell you how long you’re going to live, what your zodiac sign means, and things about your shopping habits and sexuality that you never even realized you knew? There’s got to be a thousand of those things out there… I’m sure glad that Facebook is much safer than the dangerous “internet”!
Posted by BPuhl on December 29, 2009
For a moment though, let’s say that you’ve already sold your management on the benefits of identity federation, and have deployed the infrastructure, and are rockin’ and rollin’ with SSO. It’s time to sit back and relax, comfortable in the knowledge that your users passwords are securely locked inside your directory, so you’re enterprise is “safe” right? Uhmm, maybe not. Go grab your local CISSP and ask them when the enterprise is safe, and they’ll spout a bunch of stuff about risk management, defense in depth, and mitigating controls such as firewalls, virus scanners, and yes – your identity system & passwords. If you dig in though, they often aren’t talking about protecting the “enterprise” – because that’s sort of an ambiguous amalgamation of many things – one of which is “enterprise data”.
Enter the cloud. Do you care about applications moving to the cloud? Absolutely (so does your CxO by the way)! Do you care about how users are getting to that data? Of course, as Patrick, Pamela, and others point out – it’s critical to ensure the identity of your users. But we also have to be concerned about the data that resides in the cloud, and what that means to the rest of the enterprise. Quick illustration:
Cloud Collaboration Vendor: Move your data to my service, and I’ll save you bazillions of dollars over your on-premise suite, plus I’ll give you these value added features like letting your users view their data directly through my service from anywhere (without having to download everything locally), powerful indexing, blah, blah, blah…
CIO: Ok, so let me play back to you what I heard, “I sign here, my users quit complaining about our VPN solution AND you save me bazillions of dollars” – GREAT! Go work with my team and make it so…
CCV: Ok IT guys – your CIO has signed off, now here’s the migration plan: Train your users, copy the data, and…oh yeah – we need the private key that you used to encrypt any of that data so we an index it and decrypt it for your users when they ask…
IT Guy: Como say WHAT?!? That’s the key we use to encrypt ALL of our enterprise data, not just the stuff we’re hosting with you
Does your business require data encryption for some things, like high-business-impact data? If so, how do you reconcile this with pushing the data out to a cloud service? Or do you not? How many instances of your data protection infrastructure do you have (is there more than one key?) Does your vendor support data encryption at all, and if so – do they use their keys or is there a dependency on your service? In my experience, most cloud services are loath to take too many dependencies on customer infrastructure, SLA discussions become big finger-pointing exercises.
Back to data encryption though. The conversation becomes even tougher when you start to talk about the “cross-premise” scenario, which is where you maintain a set of infrastructure on-premise, and host the rest of it in the cloud. I should be able to protect my on-premise data – that a vendor should never have access to anyway – from the vendor, right? Of course I should – so I need to have data protection FOR the vendor, and data protection FROM the vendor.
In this thought exercise, there is an interesting tension about “who” are you protecting the data from. In the on-premise world, the reason you protect data is so outsiders (and even some insiders) can’t get to it. Where on the scale of trusted entities, does your vendor fall? Even if you’ve done your due diligence, and funded new Ferrari’s for an army of lawyers, what data do you give access to? Let’s assume you give your vendor access to all the data that is “relevant to their service”, so the vendor can decrypt any data which is hosted in their site. What’s the process for re-encrypting the data in the case of a breach, either of the on-premise key or of the cloud key? Often times this is a herculean task, which requires knowing/finding all of the encrypted data, and then re-encrypting it with a new key.
If you decide to cancel your contract with a vendor – is that roughly equivalent to a compromise of the key? Everyone I talk to says yes, that somebody with protected content and the ability to decrypt it, who is not authorized to do so – is a security problem. As far as I can see, this is going to need to be something that the lawyers cover, otherwise the off-boarding costs of a vendor skyrocket.
These are just a few, there are a bunch of hard questions when it comes to the cloud – which is what makes this space so much fun! – I don’t have all the answers. Here in MSIT, where we classify and encrypt A LOT of data, we’re having conversations with everyone, business owners, security folks, lawyers. I can’t say we always tread carefully, sometimes we just “go for it”, but when it comes to adopting cloud services, we’re looking hard as we’re taking the next step, and part of that is how we protect our enterprise data IN the cloud, as well as FROM the cloud.
Posted by BPuhl on June 10, 2009
If you use Facebook, you might notice a box when you log in that says beginning June 12th, Facebook will allow registration of user names. If you “click here” to have them send more info, you’ll receive this in your registered email inbox:
Starting on Friday, June 12th, at 9:01pm, you’ll be able to choose a username for your Facebook account to easily direct friends, family, and coworkers to your profile.
To select your username, visit the link below after 9:01pm on June 12th:
To learn more about usernames, visit the Help Center:
The Facebook Team
So what does this mean? Well, for one thing, it means that if you’ve got a common name – or – if your like me, and you KNOW that there’s someone else on Facebook with the same name (since he and I are actually friends on Facebook), then it means that you want to “claim” your user name as soon as the application opens.
I did seen an interesting article here http://www.huffingtonpost.com/jonathan-handel/trademark-protection-and_b_213756.html about trademark registrations and how Facebook intends to handle squatters. So don’t bother trying to register facebook.com/McDonalds, you won’t have it for long if you do.
I like the very last part of that article though. There is already a recommendation for what to do, if somebody maliciously claims not only your trademark, but also fills out the forms sufficiently such that you (the legitimate owner of the trademark) actually can’t use the automation to claim it back.
Oh how much fun Identity Management can be :)
Posted by BPuhl on April 27, 2009
A new whitepaper has been published providing the guidance you need to deploy Active Directory, and specifically RODC’s, in a “Perimeter Network” (the network segment formerly known as DMZ).
I know that a lot of folks have come to me, asking for help/guidance on putting RODC’s into the DMZ rather than putting full DC’s or having a separate forest. This should provide the information you need to keep safe, secure, and most of all…functional.
Some of the topics include:
• Security considerations and configurations for RODCs in the DMZ
• Network configurations for RODCs
• Application compatibility with RODCs in the DMZ
• Step by step instructions and a sample script to help perform domain join using RODCs
Brandon pointed out to me, that the doc is nice, but having a downloadable version would be much nicer. We fired off a quick mail, and there will be a downloadable version of the document in the download center in the near future.
Posted by BPuhl on April 10, 2009
I have had a few discussions recently at work about ways to make things more convenient. Either convenient for our users (cloud services), convenient for our customers (single sign on), etc…
But a one-two punch hit me, when I just had 2 close friends – both of whom have been impacted by the financial mess – have their identity attacked because something that had built in security controls (checks) was made to be more convenient (by phone), and in the process all of the controls were removed so my friends were vulnerable.
Really, I call it fraud, or identity theft, or just plain robbery… But in both cases, the banks say that there are no laws against this:
My friend lost her job, and fell behind on payments. She owed $1100 for this months rent, $4400 to a creditor that by this point had gone to a collection agency, and some other bills (credit cards, gas, electricity, etc…). Through creative budgeting and working with parents, friends, and anyone else, she scraped together $5000 that she could use.
With the new money available, she came up with the following plan:
$1100 for rent
900 for the other bills
500 to the collection agency
The rest to be used for the following months rent, payments, etc…
She called the collection agency, and agreed to pay them $500 now, and then set up a payment plan for the rest of the money. That’s where the first mistake happened: They wanted the payment as a “check by phone”. So she voided a check, gave them the info, etc…
The collection agency first attempted to clear the check for the full $4400. Because the money was in the account, the check cleared – of course, this meant that she couldn’t pay any of the other bills, or her rent, etc… And she had already tapped out her friends, parents, etc…
You can imagine that the calls to the collection agency were like: “Sorry, sucks to be you – we’ve got our money now”
The bank was equally useless: “You gave them a check by phone, the money was in the account, they cleared it…Sucks to be you”
This was just completely ridiculous, but it shows that in the absence of standards or protocols, there is no shortage of people that will offer things for the sake of “convenience” which blow the hell out of “security”. If you have to write a check and sign it, then you fill in the amount, etc… modification of that is check fraud. But those security controls went out the window when banks allowed people to do “checks by phone”, and there is absolutely nothing to prevent unscrupulous people from raping your bank account if you give them the information.
The second case is similar, but with a slight twist
My friend has slowly but surely been paying off debts that were racked up over a period of time, and has been working through one of those debt consolidation management companies. Since she wasn’t getting the resolution that she needed from the company, she took back the money that was in their escrow account and started working with the collection agency independently.
On the first phone call, she had an $7,000 debt and worked with the agency to negotiate down to where they would accept $4300. Seems like a good deal, so again, check by phone for $4300.
A couple of days later, she received a notice from the collection agency, indicating that they “Had an agreement for an initial payment of $4300”. In other words, the deal they made on the phone was a lie, instead of negotiating the total, they just wanted an initial payment and were going to keep going after her for the remaining balance.
Ahhh…but the check by phone hadn’t cleared yet.
So a quick call to the bank, a $28.00 stop payment charge, and there was a stop-payment for that check before it cleared.
Not so much. 2 days later, $4300 was withdrawn from the account anyway, by check #1001 (not the check number she gave them). A long, convoluted, multi-transfer call back with the bank this time, and they could see where the initial check number had attempted to clear, been rejected (the stop payment), and then the company had re-submitted another check by phone with the different check number and got the money.
After several days of arguing, it’s still unclear whether the bank is going to say “Sorry, sux to be you” or if they are actually going to help. I’m not holding my breath.
So again, the safety features around checks – being numbered, signed, amounts written (twice) – are all placed into the trusting hands of the least trustworthy person (the merchant that wants your money), and there is remarkably little recourse. I suppose you could go get a lawyer, etc… But during that time the money is gone, life still needs to be lived, and a lawyer is going to take 30% of whatever you get back anyway (or some amount of payment)…
All for the sake of convenience (to whom?)
There are better ways, one of which I really like. I’ve had a credit card with CitiBank since college. And many years ago, they came up with this idea of virtual account numbers for your credit card. You can go to their website (or they have a downloadable application), and if you want to make a purchase, you can get a one-time use credit card number (with expiration and CVC) for that one purchase. I haven’t used it in a while, but IIRC you can even specify the amount of the purchase you’re going to make (which is really the protection). This is great, because the security of a credit card is handing the piece of plastic with the signature on the back to the person behind the register. With online purchases, you can’t do that, so instead lets take the things which you can control (amount of purchase, usefulness of the number after it’s been used properly) and control those instead. Reasonable mitigations.
This is the type of control that we’re going to need if we want to protect our resources in a more “convenient” (read: Online) world.
Posted by BPuhl on April 9, 2009
At The Experts Conference in Las Vegas this year, Stuart threw out the challenge to the DS MVP’s to come up with their list of changes they would like to see in Active Directory, but put it to the tune of an Elvis song. After a midnight (mildly inebriated) recording session, and some fancy editing by the Quest Software production staff, here’s the result!