Two factor authentication for multiple domain support - Consulting

Posted on 2006-04-21
Last Modified: 2013-12-04

We have a need for Two Factor Authentication (TFA) for our Consultants.  When a consultant leaves or is terminated, we would like to take away the key and prevent them from logging into any of the client sites we support.  Each client site is an independent domain.  Each site has Active Directory and all sites have firewalls, with a majority of PIX devices.  Currently, we have to touch every client site and change Groups and Passwords in AD and on the Firewall.  As many of you know, this can be time consuming.  

Additionally, we would like this TFA solution to be compatible with a whole disk encryption solution using the same hardware key.  

Currently I am looking into SafeWord, Aladdin, and others.  Are there any other consultants dealing with this type of security support issue?  If so, what are your ideas?

Thank you--

Question by:Wipfli
    1 Comment
    LVL 38

    Accepted Solution

    I deal with the issue of the added workload of an employee leaving with automation, mainly scripting repetitive tasks. Each task might require it's own script, like locking the account with VBS scripts, deleting the VPN account using Expect scripts, and backing up data with scheduled tasks/batch scripts. Changing passwords can be automated through AD's group policies, you can also automate the shutdown and reboot of all PC's on your lan. Fire someone at the end of the day as everyone is going home, or in the morning before many people arrive. Reboot VPN's/PIX's incase there are open sessions still, and your sure to kick them off the network. The process for 7 seperate companies, each using AD, VPN's and other devices can be started and completed in a few minutes, the reboots take longer than the script's.

    I'm not sure why you change anything in the "groups"... naturally you'd remove him/her from the admin's, and other groups that he/she beloged to

    We do have to login to each site, and then run the scripts and do a little double checking for good measure, as well as ghosting the users PC before the firing as to have a good copy of everything they had on their HD.

    Some thoughts on TFA:
    I understand were not talking about banking or phishing, however I think you can see what the "short-commings" of the system are, or can be. Personally I think the second factor is unecessary, you, or someone else, can script just about anything. Need a perl script, vbs script, expect, other... open a question here on EE and you'll get a great solution! (etc...)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now