One of the biggest issues with full disk encryption and pre-boot authentication is the management of multiple users.We need a little explanation to understand why this becomes an issue. In the scenario that a PC has full disk encryption with pre-boot authentication: At the pre boot authentication stage the computer does not have access to anything (the operating system, the network, the directory). The PC has no way of checking with other systems, such as Active Directory, to determine if users have credentials to log on to the computer.
The encryption software itself must manage who has access to pass pre-boot authentication. And then…when a user changes their password on one computer and goes to use another computer will the encryption solution realize the user’s password has changed? The encryption solution must be able to handle this on its own as well.
This becomes a huge differentiator among encryption vendors. Remember that all vendors will tell you they handle multiple users on computers but the key piece is HOW they do it! Please take the time to understand the information below.
First of all we haven’t talked about authentication modes yet but we need a real quick primer. Since we have pre-boot authentication and your normal operating system/domain authentication, encryption solutions have various authentication modes.
For the purposes of this post we are using Single Sign On which basically synchronizes the pre-boot authentication and OS/domain authentication. Then when you enter your OS/domain password at pre-boot authentication you are automatically logged on to your OS as well. Pretty much all of our customers use Single Sign On because otherwise users would have to remember 2 passwords and they have a tough enough time with 1.
Some of the multiple user issues discussed below can be eased by not using Single Sign On… although customers rarely choose to separate the pre-boot and OS authentication and there are some other considerations with this. We’ll get more in depth with Authentication Modes soon. OK…Primer done.
Most encryption solutions fall into three buckets when we talk about handling multiple users. We’ll start with the not so good and work up to a solid solution.
The Not So Good Way
Some encryption solutions don’t use central management, policies or directory integration to handle multiple users. They assign an owner to the device and the process for adding additional users to the device is a manual process controlled by the “owner”… who is an end user.
Yikes…this has trouble written all over it. From a user perspective the owner of the laptop has to now control and add users to their computer which causes the user a bit of a headache and is going to generate helpdesk calls. From a management perspective this is not a secured, controlled situation.
You can imagine that in the real world this isn’t a very workable solution and can cause big headaches in an environment. All I will say is if you choose this method … good luck to you. Oh yeah…and these solutions will not recognize that a user has changed their password on another computer so here comes another helpdesk call.
Getting Better…
Some solutions will use their central management to control the users of computers through policies but do not have directory integration or that integration does not pull the necessary information. It needs to pull user and group information or you will not be able to effectively manage multiple users.
They sometimes employ the use of “Temp” accounts that you can include in your policies to get around the lack of strong policies and directory integration. Users can log on using a temp account and then that temp account converts itself to become the user’s account on that computer.
It is an interesting way of doing it but then you have to remember the temp accounts and temp passwords used on each computer or policy. These solutions generally lack in directory integration and policy management and will not recognize that a user has changed their password on another computer. So, definitely not quite the ideal situation but it is more workable than our first option.
A Good Solution
By far the most effective way to handle multiple users on computers is by using central management, granular policies and full directory integration together…imagine that.
The solutions I like the most are capable of doing this. First we need directory integration that will pull all of our user and group information into our encryption central management. Integrating with the directory and actually being able to pull useful information is critical when managing multiple users. Then just as importantly, we need to be able to have granular policy control so we can control which users and groups should have access to which devices through policy.
Finally we need a way to handle users changing passwords in an environment. This also comes down to strong policies. A good solution will recognize that a user changed their domain password on computer A. Then strong policies will automatically tell the other computers the user is allowed to use that the password for that user has changed. With good directory integration and granular policy control we have pretty much resolved the issues that surround multiple users when using full disk encryption and pre-boot authentication.
I hope you are starting to see how choosing the right solution makes all the difference. As we talked about in our Encryption Strategy post it is really important that you understand how encryption will affect your environment before making decisions. We have a lot more detail in the coming weeks to help identify the areas that need to be considered.
I hope you are starting to see how choosing the right solution makes all the difference. As we talked about in our Encryption Strategy post it is really important that you understand how encryption will affect your environment before making decisions. We have a lot more detail in the coming weeks to help identify the areas that need to be considered.
Bryan Spinner
Security Consultant
D&D Consulting Ltd.
Previous posts in the Encryption series:
Full Disk Encryption - How does it affect users?
Full Disk Encryption Vs. File Level Encryption
Central management is key
6 steps to a successful strategy
Compliance & Reporting
Where's all the magic security dust gone?
Series Intro
D&D Consulting Ltd | 3 Columbia Circle | Albany NY 12203 | T: (518) 218 0900 | F: (518) 218-1829 | info@dandd.com | www.DandD.com
Posts
0 comments:
Post a Comment