Scorpion Software Blog

In a recent BusinessWeek article entitled "Swine Flu Should Prompt Business Checkups", the author stimulates the idea that businesses will need to re-lookat remote access technology in the midst of the H1N1 pandemic:

The virus may also force us to take a hard look (finally) at some of those remote-technology tools that we probably should've deployed a few years ago. With people needing to stay at home to recover from the flu and avoid spreading infection, we'll need to get them connected to the office so checks go out, orders are filled, and customer questions are answered. We'll want to use remote control software (like gotomypc.com and logmein.com) or desktop-sharing software (like glance.net or crossloop.com)—or just finally bite the bullet and a set up a virtual private network. For the first time, we may really have an urgency to put these tools to work this winter.

I'm all for using the appropriate remote access technology, but I would encourage business owners to take time and ask their trusted IT advisors what the right solution may be. It is not just about technology; it is part of business contingency planning. This isn't about Swine Flu; it's about planning for pandemics and other external conditions like severe weather conditions and natural disasters. 

On the technology front, if you have already invested in Microsoft solutions like Small Business Server or using firewalls or VPN concentrators from popular vendors like Sonicwall and WatchGuard you already have this sort of technology available. If you don't, rushing out to get low cost solutions may expose your business to unnecessary risk.

Remember that software like GotoMyPC and LogMeIn may require you to make the desktop available to the Internet. This very fact lowers your corporate security posture as a weak password that is shared, stolen or easy guessed means an unauthorized user may be able to login and impersonate a staff member with that user's privilege to sensitive and/or proprietary information. Worse yet, staff that have left your organization who may know a colleagues password will have inside knowledge on what information is important and valuable, and will know how to access it.

So consider complimentary technologies that can reduce this risk to an acceptable level. Back in September I blogged how one of our partners in Hong Kong uses AuthAnvil's strong two-factor authentication (2FA) to add identity assurance to GotoMyPC Professional. You probably already know about our award winning RWWGuard product for Small Business Server and Essential Business Server that adds 2FA right into Remote Web Workplace. And you may have read a previous post about how you can use AuthAnvil's Credential Provider with Microsoft's new DirectAccess technology. And of course, we work with hundreds of VPN solutions already on the market.

My point here is that remote access solutions are extremely valuable, but need to be safeguarded. Consider using 2FA to provide a level of strong authentication and identity assurance so you have the confidence that when staff are accessing corporate information and assets remotely, they are who they say they are. And that they are authorized to access such information.

Talk to your trusted IT advisor. They can help you with this. If you don't have one, let us know. We would be happy to introduce you to one in your local area. And if there isn't one... I would be happy to help you myself.

This morning I was reading an interesting post by Stuart Crawford on the fact that many of the CFOs from the oil and gas companies that he is talking to in Calgary are unhappy and dissatisfied with a number of their IT suppliers and many of them are looking or even thinking about switching firms because of the costs associated with IT and the lousy service many are receiving. As part of this, Stuart mentions that the reasons are all over the board ranging from the value received for the price they are paying, revolving doors of service technicians to the general increased cost for support. 

It's the comment about "revolving door of service technicians" that I want to speak to.

Stuart, like many of our partners, comes from a firm that understands that this can be a real paint point for their clients. As the trusted IT advisor to these businesses, his firm must maintain a level of trusted assurance that in the midst of such conditions the businesses they serve are not put at risk. A service technician that leaves an IT firm does so usually knowing the administrative credentials to hundreds of systems across many different customers, most with complete and unrestricted access. You can see where I am going with this. If that service technician is in any way disgruntled or feels he has an entitlement to information, he can easily gain access remotely and steal or destroy the information. Although this typically isn't a common thing... the damage potential is huge. Both for the businesses the IT firm services, and the reputation damage and legal liability of the IT firm itself.

More sophisticated IT firms will have a process to address this. Changing the passwords to all those systems is the first step in this. However, if you are managing hundreds of clients and thousands of devices, you just can't get to them all fast enough. On average, our partners are telling us that it takes between 30 minutes to an hour PER customer site to properly change the administrative credentials. It isn't just the AD password. It's the service accounts which have to be checked. The routers. The switches. The wireless access points. Many of these systems are silos of independent passwords that are not part of the Active Directory infrastructure that they maintain.

Enter AuthAnvil. If you as an IT firm were to require staff members to prove their identity with an AuthAnvil credential BEFORE they are allowed to log in, by simply revoking a technician's token you simultaneously revoke his or her access to all client sites. So even if he DOES know the administrative credentials, he won't be able to get in. Of course, you should still change the passwords when you can... but now you can do it on your schedule as you have time, not in reaction to an HR incident where a staff member leaves. 

You might think this would be an expensive proposition. How does $100 a technician sound to you? You will see an ROI the FIRST time you have someone go through that "revolving door" that Stuart speaks of. How so? Well, if your billing rate is a conservative $100/hr and it takes you an hour per site... do the math. Many of our partners manage anywhere between 20 and 200 sites. At 20 sites that is $2,000 of non billable and unproductive time used up. If you have up to 5 technicians... it will only cost you $500 to get the AuthAnvil bits that you need. Need I say more?

We have several video testimonials of partners that are using AuthAnvil in this way. I encourage you to check them out. Of course, if you would like more information, let's talk.

AuthAnvil provides detailed audit logging within SQL Server which can easily be parsed using SQL Reporting Services or the likes of Crystal Reports. However, sometimes you just want a raw report of who logged on, and who failed to log on.

An easy way to do this is to configure a scheduled report to do this for you each day. Scorpion Software offers a script called AAEmailReport.vbs specifically to do this which you can find in the AuthAnvil Diagnostics Library.

Below are instructions on how to set up a daily scheduled take on Windows Server to do this. The result will be an email with a list of successful and failed authentication attempts for the previous day.

Step 1: Launch the Task Scheduler

Start the Task Scheduler. Depending on the version of Windows, you can typically find this in the Control Panel under "Schedule Tasks". Click "Add Scheduled Task".

Step 2: Select the launch the script engine

When asked what program you want Windows to run, click the Browse button and select "C:\Windows\System32\cscript.exe".

Click Next.

Step 3: Create Initial Task

When prompted to name the task, select something unique that identifies the task, such as "AuthAnvil Daily Auth Report". The select to run this task "Daily".

Click Next.

Step 4: Schedule to Time to execute

When prompted for the time, select to run this at 12:01AM. of course, if you have other tasks that may be running at this time, feel free to schedule this at an off peak time early in the morning.

Click Next.

Step 5: Enter credentials with privileges to SQL 

When prompted for a set of credentials to use, select a user account with privileges to query the AuthAnvil database. This may be the AuthAnvil Database user used for impersonation, or a domain administrator account.

Click Next.

Step 6: Complete initial wizard and go to Advanced Settings

When at the final page of the wizard, click the checkbox offering to open the Advanced Settings, and click Finish. This will add the initial task, and allow you to reconfigure the task to work with AAEmailReport.vbs.

Step 7: Modify the Run command line options

The AAEmailReport.vbs script takes a few parameters that need to be added to the run line. These need to be configured in the Advanced Settings before the task will run correctly.

These, in order, are:

• The SQL server and instance name where the AuthAnvil database resides. ie: SERVERNAME\AUTHANVIL or SERVERNAME\SQLEXPRESS. For standalone SQL servers, it may simply be the SERVERNAME.
• The runlevel. This can be a number between 1 and 3, where:
  1 = Send only failed logons
  2 = Send only successful logons
  3 = Send both failed and successful logons
• The "From" address
• The "To" address
• The name or IP address of the mail server to send this report through

As an example, the Run line in our office looks something like this:

C:\Windows\System32\cscript.exe C:\Tools\AAEmailReport.vbs CORPSQL08 3 security@scorpionsoft.com authanviladmins@scorpionsoft.com 192.168.1.1 

As you can see, our main SQL 2008 server where our AuthAnvil database exists is called CORPSQL08, and we are requesting to send both successful and failed logon information to the authanviladmins from security, going through our Exchange server on our SBS box.

At this point you can hit Apply, and you will be prompted to enter the credentials again. Once complete, you will start receiving daily reports with the information you seek!

Hope that's helpful. Enjoy!

If you find yourself in a position where you need to use Secure Shell (SSH) to connect to your Unix, Linux or even OSX environments, listen up.

We have had several customers complain about the SSH brute force attacks that is continuing to plague their servers and workstations in such environments. We understand your concern and realized that it might make sense to clearly explain how you can use AuthAnvil to address this.

If you want to provide identity assurance to your incoming SSH clients, simply configure SSH to use the pluggable authentication module (PAM) with RADIUS. Doing so allows you to easily use AuthAnvil's strong two-factor authentication without the need to install a special agent. mpore importantly, it will force incoming users to provide their two-factor authentication credential each time they try to remotely connect in.

We have provided a simple HOWTO to explain how to configure your SSHD service to support this, which is available in our Document Library. Of course, if you need any help you are free to open a case in the Customer Portal.

Hope that helps. Adding AuthAnvil's strong two-factor authentication is really as simple as reconfiguring the SSH daemon and pointing the authentication to the AuthAnvil RADIUS Server. From there you don't have to fear brute force attacks against your accounts. With the passcode changing each time it is used, this won't be something brute forced anytime soon! 

There are times when you may wish to protect a web based application from general access... something AuthAnvil does quite well on Microsoft's Internet Information Server (IIS). But what about our customers that are running webapps using Apache on Linux, *nix, BSD or even Solaris?

The solution comes in the form of the radius_auth_module produced by the FreeRADIUS project. It allows any Apache web server to become a RADIUS client for authentication and accounting requests, which works well with our AuthAnvil RADIUS Server.

If this applies to you, we have provided a very simple HOWTO on configuring Apache with radius_auth_module so that you can add AuthAnvil's strong two-factor authentication to your web application. No matter if it was written in Perl, PHP, Ruby on Rails or Python (or any other language for that matter), you can enforce an identity assurance check to significantly reduce the attack surface of your Internet facing web applications.

Of course, nothing prevents you from consuming the AuthAnvil web service directly in your LOB app code. It really is only a few lines of code. However, if you do not have programmatic control of the application, this solution will provide an authentication dialog for the user to enter their AuthAnvil credential, before they can even see the underlying web site.

And as an added bonus, what's nice is that you can use our Windows Authentication mode fallback in the AuthAnvil RADIUS Server to give you limited AD awareness for policy and access control. So now your Linux  or BSD web server can actually enforce AD Security Group access without having to be highly configured through LDAP. 

Enjoy.