Solving account lockout by eliminating use of passwords by using PKI certificates

Have you ever been forced to change your password on your laptop only to find that you got your AD account locked about an hour later? If your company is like mine, we require our login passwords to be changed every 90 days, and what a pain that is just because we don’t allow reusing passwords, they have to be complex with mixed case and both alpha and numeric characters and at least 8 characters long, yes it could be more complex. But my account got locked because I forgot to change the my password on the WiFi config on my Mac, so it keeps replaying the old password to try and access the wireless network AND my Samsung Galaxy phone as well as my iPad also have the old AD password memorized which they are both using to login to both Exchange and the wireless network. Well, Windows is smart enough to not replay a password more than 3 times when it doesn’t work to get logged in to the wireless network.

But, with many more organizations starting to support Macs in their environment as well as the smart phones and tablets this account lockout problem is coming up much more often. The problem is that these non-Windows devices will just replay the password trying to gain access which will eventually locked out your AD account, what’s worse is that even if you’ve remembered to change the password on one of your devices, you may still have another device with an incorrect password that continues to lock your account. The only way the user can get out of this is to have IT (or some self service mechanism) unlock your AD account and then you need to immediately update the password on all your devices for both Exchange, WiFi and VPN, as well as any other application that may use this password.
We need a solution to eliminate the caching and replay of passwords across multiple computers and devices for authentication to remote services.

Passwords are bad
There are also several other problems with password which reduce the overall security of the environment. Since the end user needs to remember the password, we strive to reduce the number of passwords that the user would use to make it easier for the user to keep up with ideally only one password, and as long as the user only needs to remember one password, you can probably make the password policy require a more complex password with more characters so that it is harder to break in the event of a password attack.

Password cracking software is now running on much faster computers that are available today and yet many users still use passwords with only 8 characters. But, even if we are able to get users to create and use longer passwords such as a passphrase, we have cameras everywhere and they are higher resolution than ever, as much as 40 mega pixel capable of recording full 1080p video on the average smart phone, which enables anyone near you to capture your userid and password as well as the web site you are logging into. This enables anyone with a smart phone to “shoulder surf” to record your web site, userid and password that you typed, go back and playback in slow motion to figure out the password and then just login with their own computer without you around. We need a better way to secure user login to enterprise services.

Eliminating passwords with PKI Certificates
These problems can be solved if we require more than just the user’s identity and password to grant access to the Enterprise. We need another strong credential issued to authorized computers and devices so that we can be assured that only authorized end users are accessing business resources from trusted endpoints. While Kerberos tickets can be used for users on the company network, meaning they authenticate to Active Directory and then are provided a Kerberos ticket granting ticket, which enables the user to get a Kerberos ticket for a specific service or application the user is trying to access. But, we need a different model for users on devices that might be disconnected from or outside of the company network, certificate-based authentication from registered devices provides the perfect model to address this challenge as well as to eliminate the use of passwords to core enterprise services.

What are PKI Certificates?
PKI Certificates are made up of a symmetric key pair which are created at the same time and one is kept secret by the user and called a private key and the other is published as the public key. Anything encrypted by one key can be decrypted by the other key, this enables the user’s computer to encrypt something and anyone who has access to the public key can decrypt the data as a way to prove that the user has possession of the private key. The Certificate contains identity data about the user and is typically packaged with the public key, signed by the Certificate Authority to prove authenticity and then made available typically within a Directory Service for anyone or any application or service within the enterprise to access for authentication purposes. Additionally, these certificates and keys are stored on the end user’s computer or devices in secured storage either a physical security module such as Trusted Platform Module (TPM) or simply protected within the user’s home directory or Keychain.

The end result is a solution that provides cryptographic validation of the user’s identity after the user unlocks his computer or device all without relying entirely on the user’s password which an attacker may learn about. This authentication model protects the user’s authentication credential, in this case PKI Certificate, and ensures that there is no way for a different person from gaining access through either man in the middle attack (capturing the password on the wire) or visual observation of the userid and password. This solution will only grant access to the authorized user from one of his previously registered devices where a PKI Certificate has been issued.

Automating Certificate Management (Issuance, Renewal and Revocation)
Setting up certificate based authentication doesn’t have to be difficult, in fact it can be extremely simple once setup for automation. Microsoft provides a Certificate Authority (CA) as part of the Active Directory set of services, you just have to configure and turn on the service. The first CA that you configure will be your Enterprise Root CA and it needs to be configured to publish the public keys and certificates to Active Directory so that other applications and services can lookup and retrieve them.

Once the CA has been setup, you will need to configure certificate templates to be used for the auto-issuance of Certificates for both user certificates and computer certificates. A certificate can be used to identify either the user or the computer depending on how the certificate is to be used, for example you may use a computer certificate to authenticate a device to the network, but then use a user certificate to identify the user to a VPN or EAS Server. The certificate template must be configured for the identity data that is needed by the services that will use the certificate.

The final step is to configure the computers joined to AD to automatically request a certificate or certificate renewal through Group Policy settings. Microsoft provides the configuration required for Windows computers while Centrify provides full support for Mac (http://www.centrify.com/mac/active-directory-authentication-for-mac-os-x.asp) and Linux (http://www.centrify.com/standard-edition/grouppolicy.asp) as well as iOS and Android mobile devices (http://www.centrify.com/mobile/mobile-security-management.asp).

For step by step instructions, follow this quick how to guide to setup certificate auto-enrollment http://community.centrify.com/t5/Express-for-Mobile-Tips-and/Enabling-PKI-Enrollment-for-mobile-devices-with-Centrify-User/ba-p/16968

Securing Enterprise access with certificates
PKI certificates have been around for quite sometime and have been used for strong authentication to a number of enterprise services such as:
– Enterprise network authentication, both wired and wireless
– Exchange ActiveSync Server authentication
– Web site authentication

Secure Networking with 802.1x and Certificates
PKI provides the highest level of security for controlling access to the Enterprise network. We are seeing many more organizations moving to 802.1x authentication to their wireless networks and several higher security organizations doing the same on their wired networks. The use of PKI authentication ensures that only computers that have registered with the organization are able to even connect to the network, this is especially important for wireless networks given their fuzzy boundary around buildings, but also for wired networks given the use of internal conference rooms with external visitors who may need internet connectivity.

802.1x Wired network authentication is built into Windows and Centrify provides a way to setup policies for the Mac to ensure that it operates properly on these secured networks. Just turn on the Group Policy for either a Machine or User level 802.1x profile for the Mac and Centrify will automate the certificate issuance and configuration of 802.1x profiles on the system. (http://community.centrify.com/t5/The-Centrify-Apple-Guys/Centrify-Suite-2013-2-Release-Security-Enhancement-to-Mac-and/ba-p/12178)

There are several different wireless network configurations that we’ve seen, but the most common is to use WPA2 Enterprise with EAP-TLS for device centric authentication to the wireless network. This is built into Windows and again Centrify automates the configuration for both Mac and iOS as well as Samsung mobile devices.

Securing Exchange ActiveSync Server (EAS) login with PKI
Probably the most important enterprise service that remote users need to access on a regular basis is their email server, and if you are using Exchange ActiveSync on-premise, then you can configure it to require PKI Certificate for user authentication on mobile devices instead of userid and password. Centrify provides support for this configuration on both iOS as well as Samsung mobile devices.

For step by step instructions, follow this quick how to guide to setup PKI Authentication for mobile device access to Exchange ActiveSync (http://community.centrify.com/t5/Express-for-Mobile-Tips-and/PKI-Authentication-for-mobile-devices-with-Centrify-User-Suite/ba-p/17056)

Web Site Authentication using PKI
Based on the drive to adhere to HSPD-12 (http://www.dhs.gov/homeland-security-presidential-directive-12) for Smart Card-based authentication, the majority of US Government web site have added support for PKI-based authentication, especially those that serve US Government employee access. Centrify for Mac Smart Card Edition (http://www.centrify.com/mac/smartcards.asp) as well as Centrify Express for Smart Card (http://www.centrify.com/mac/smartcard/mac-smart-card-cac-piv-support.asp) have supported these use cases where federal employees with Smart Cards need to access web sites that require PKI-based authentication leveraging the PKI certificates stored on their government issues Smart Cards. This just simplifies access for the employee since all he needs is his Smart Card and PIN to unlock the credentials so that he can login seamlessly.

For more information or to try this yourself, visit http://www.Centrify.com/Mac to find out more about Centrify for Mac as part of Centrify User Suite.