[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Two factor authentication for multiple domain support - Consulting

Hello,

We have a need for Two Factor Authentication (TFA) for our Consultants.  When a consultant leaves or is terminated, we would like to take away the key and prevent them from logging into any of the client sites we support.  Each client site is an independent domain.  Each site has Active Directory and all sites have firewalls, with a majority of PIX devices.  Currently, we have to touch every client site and change Groups and Passwords in AD and on the Firewall.  As many of you know, this can be time consuming.  

Additionally, we would like this TFA solution to be compatible with a whole disk encryption solution using the same hardware key.  

Currently I am looking into SafeWord, Aladdin, and others.  Are there any other consultants dealing with this type of security support issue?  If so, what are your ideas?

Thank you--





0
Wipfli
Asked:
Wipfli
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
I deal with the issue of the added workload of an employee leaving with automation, mainly scripting repetitive tasks. Each task might require it's own script, like locking the account with VBS scripts, deleting the VPN account using Expect scripts, and backing up data with scheduled tasks/batch scripts. Changing passwords can be automated through AD's group policies, you can also automate the shutdown and reboot of all PC's on your lan. Fire someone at the end of the day as everyone is going home, or in the morning before many people arrive. Reboot VPN's/PIX's incase there are open sessions still, and your sure to kick them off the network. The process for 7 seperate companies, each using AD, VPN's and other devices can be started and completed in a few minutes, the reboots take longer than the script's.

I'm not sure why you change anything in the "groups"... naturally you'd remove him/her from the admin's, and other groups that he/she beloged to
http://www.microsoft.com/technet/scriptcenter/default.mspx  http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx  http://www.microsoft.com/technet/scriptcenter/resources/qanda/all.mspx

We do have to login to each site, and then run the scripts and do a little double checking for good measure, as well as ghosting the users PC before the firing as to have a good copy of everything they had on their HD.

Some thoughts on TFA: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html  http://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html
I understand were not talking about banking or phishing, however I think you can see what the "short-commings" of the system are, or can be. Personally I think the second factor is unecessary, you, or someone else, can script just about anything. Need a perl script, vbs script, expect, other... open a question here on EE and you'll get a great solution!
http://www.experts-exchange.com/Programming/Programming_Languages/Perl/   http://www.experts-exchange.com/Programming/Programming_Languages/Visual_Basic/ (etc...)
-rich
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now