Two factor authentication for multiple domain support - Consulting


We have a need for Two Factor Authentication (TFA) for our Consultants.  When a consultant leaves or is terminated, we would like to take away the key and prevent them from logging into any of the client sites we support.  Each client site is an independent domain.  Each site has Active Directory and all sites have firewalls, with a majority of PIX devices.  Currently, we have to touch every client site and change Groups and Passwords in AD and on the Firewall.  As many of you know, this can be time consuming.  

Additionally, we would like this TFA solution to be compatible with a whole disk encryption solution using the same hardware key.  

Currently I am looking into SafeWord, Aladdin, and others.  Are there any other consultants dealing with this type of security support issue?  If so, what are your ideas?

Thank you--

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
I deal with the issue of the added workload of an employee leaving with automation, mainly scripting repetitive tasks. Each task might require it's own script, like locking the account with VBS scripts, deleting the VPN account using Expect scripts, and backing up data with scheduled tasks/batch scripts. Changing passwords can be automated through AD's group policies, you can also automate the shutdown and reboot of all PC's on your lan. Fire someone at the end of the day as everyone is going home, or in the morning before many people arrive. Reboot VPN's/PIX's incase there are open sessions still, and your sure to kick them off the network. The process for 7 seperate companies, each using AD, VPN's and other devices can be started and completed in a few minutes, the reboots take longer than the script's.

I'm not sure why you change anything in the "groups"... naturally you'd remove him/her from the admin's, and other groups that he/she beloged to

We do have to login to each site, and then run the scripts and do a little double checking for good measure, as well as ghosting the users PC before the firing as to have a good copy of everything they had on their HD.

Some thoughts on TFA:
I understand were not talking about banking or phishing, however I think you can see what the "short-commings" of the system are, or can be. Personally I think the second factor is unecessary, you, or someone else, can script just about anything. Need a perl script, vbs script, expect, other... open a question here on EE and you'll get a great solution! (etc...)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.