Multiple Sessions by one user

Multiple Sessions by one user (Full Version)

All Forums >> [ISA Server 2000 General] >> General

Message

abood -> Multiple Sessions by one user (28.Dec.2002 12:19:00 PM)
I have installed ISA server 2000 as a proxy server only. and giving users internet access by authentication. However the users can have multiple logins in different places, i.e. i would like to restrict users to log only from one pc at a time.

spouseele -> RE: Multiple Sessions by one user (28.Dec.2002 2:32:00 PM)
Hi Osa, I don't believe ISA server can enforce that on his own! In fact, if such a restriction could be enforced, I think it should be done at the Active Directory level. HTH, Stefaan

tshinder -> RE: Multiple Sessions by one user (28.Dec.2002 6:35:00 PM)
Hi Stefaan, That is correct! This is a Win2k issue, not an ISA Server issue. You can limit users to log on from one machine, or better, use smart cards to log in and require that the smart card be left in the reader for the entirety of the session HTH, Tom

spouseele -> RE: Multiple Sessions by one user (28.Dec.2002 9:16:00 PM)
Hi Tom, good to hear I was on the right track! Of course, the basic law of strong authentication gives you a good solution: something you have (a smartcard) and something you know (the pincode). Thanks, Stefaan

tshinder -> RE: Multiple Sessions by one user (28.Dec.2002 9:20:00 PM)
Hi Stefaan, What I like even better is: Something I know (password) Something I have (smartcard or other token) Something I am (iris scan, voice print, finger print) Tom

spouseele -> RE: Multiple Sessions by one user (28.Dec.2002 9:25:00 PM)
Hi Tom, have you already implemented that in a real life W2K environment? Thanks, Stefaan

tshinder -> RE: Multiple Sessions by one user (28.Dec.2002 9:29:00 PM)
Hi Stefaan, Unfortunately, I haven't implemented the "what I am" part yet. Still looking for someone who is interested in that level of security. I suspect only govt's would be interested. Tom

spouseele -> RE: Multiple Sessions by one user (28.Dec.2002 9:38:00 PM)
Hi Tom, I thought so! BTW --- have you already heard good or bad things about ArcotID? It seems to be the best software SmartCard available. In any case, it sounds to be a very big step forward comparing to the default certificate store on Windows. Thanks, Stefaan

tshinder -> RE: Multiple Sessions by one user (29.Dec.2002 1:03:00 AM)
Hi Stefaan, Sounds interesting, but they don't explain how the "something I have" differs from a SmarCard. They say its stronger than a SmartCard but what is the "thing you have"? Thanks! Tom

abood -> RE: Multiple Sessions by one user (29.Dec.2002 7:39:00 AM)
Any, thanks for taking time to answer my question.

spouseele -> RE: Multiple Sessions by one user (29.Dec.2002 12:36:00 PM)
Hi Tom, this is my problem too! As I understand the product, there isn't really "something I have" at least not physical. So, I think you should rather compare the software SmartCard with a software Token. However, compared to the default certificate store on Windows, I think it has some real benefits. The problem with a hardware SmartCard is the implementation and ongoing support cost. Especially if you don't have control over the environment. So, a lot of people try to simplify the implementation by not installing the certificate on a SmartCard but on the PC itself. The problem now is that storing the certificate on the PC itself is not very secure because at best the certificate is only protected by a password and only that password enables the use of the certificate. So, it is very susceptible to offline attacks because there is no method to disable the certificate after a number of bad passwords. This is major drawback. That problem seems to be solved with the software SmartCard solution from Arcot. To the user (or attacker) a great number of passwords seems to give you a valid certificate. The only way to find it out is to try it out. So, the central authentication service will see those tryouts and have now a method to detect the bad tryouts and lock out the certificate and corresponding account after a number of bad attempts. I think this is a major step forward! What do you think? Thanks, Stefaan

tshinder -> RE: Multiple Sessions by one user (29.Dec.2002 11:45:00 PM)
Hi Stefaan, I think its better than a software certificate from traditional certificate servers, but I still don't think its better than a "what I have" solution. However, there is no perfect security solution except for turning off the computer Thanks! Tom

spouseele -> RE: Multiple Sessions by one user (29.Dec.2002 11:59:00 PM)
Hi Tom, I totally agree and thanks for the nice conversation! Thanks, Stefaan [ December 29, 2002, 11:59 PM: Message edited by: spouseele ]

tshinder -> RE: Multiple Sessions by one user (30.Dec.2002 12:15:00 AM)
Hi Stefaan, Thank you! Tom

Page: [1]