« July 2010 | Main | September 2010 »

August 2010

August 27, 2010

Configuring AutoTask to use AuthAnvil Authentication

Since last week, when AutoTask announced that they had integrated AuthAnvil authentication into their AutoTask IT Services Management Platform, we’ve been getting asked how to go about configuring it. So, to make sure everyone knows the right way to configure it, and how easy it is, we’ve posted a howto over at the documentation center: HOWTO: Configure AuthAnvil Integration in Autotask.

Also, I just wanted to pass along a kudos from the support team. We love the to see the integration, and like the way it’s been handled, with the ability to provide alternate credentials and authentication severs on a per-user basis.

Posted at 08:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 26, 2010

Five by 5 - Episode 104: The Business Value of Teleworking

So in our last episode, we focused on secure remote access using Small Business Server. When talking with some IT professionals recently, it was made clear that their clients really need a bettter handle on understanding the business value of teleworking.

We're listening. Today's episode is for you!!

In this episode, I talk about the business value in allowing staff to have anywhere, anytime access to the office through teleworking. From learning how to increase staff productivity to dealing with your business continuity plans, learn how to get the most out of your IT infrastructure.

(If you can't see the video in your RSS reader, you can go directly to the video here)

Let us know what you think. Leave a comment on the blog, or send me an email to dana@scorpionsoft.com. And don't be shy... if there is something you would like to learn, let us know. It may be featured in an upcoming episode.

Posted at 07:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 25, 2010

Dana Epp Honored in Third-Annual MSPmentor 250 Report

Well isn't this interesting. Apparently I have landed on Nine Lives Media Inc.’s third-annual MSPmentor 250, a global report that identifies the world’s leading managed services executives, entrepreneurs, experts, coaches and community leaders.

I'm grouped with many thought leaders that I admire and respect highly in the managed services industry. Customers, partners and fellow visionaries in the vendor space who are helping to make all MSPs more profitable. I am truly honored. Many thanks to Amy and Joe over at Nine Lives Media and to all our customers, partners and friends who have nominated me. I appreciate being recognized in this way, and thank you all.

So where do we go from here? Well many of you, as our customers, continue to ask for more integration between systems. With our support currently for everything from Autotask, ConnectWise, Kaseya, and LabTech it makes sense to carry that further. The MSPMentor 250 list truly is a rolodex of some of the brightest minds in the MSP industry. I think its time I personally call many on the list who we aren't working with yet to explore how we can work together to further the MSP space, and ultimately reduce your business liability while increasing your productivity and profitability.

MSPMentor 249... look forward to my call.

Posted at 07:00 AM in Press Releases | | Comments (0) | TrackBack (0)

| |

August 24, 2010

AuthAnvil Best Practice: Securing Computers That Are Not Part Of A Domain

Many networks have computers that, for one reason or another, are not members of the domain. These might be web or mail servers in the DMZ, servers in the datacenter, or in our case, the QA department’s test servers and workstations. Just because a machine isn’t a member of the domain doesn’t mean that it doesn’t need to be protected, and AuthAnvil can protect it.

Helping to make life simple, AuthAnvil doesn't care whether a system is domain-joined or not. All that it’s concerned about is that the username that you are trying to log in using exists on both the machine that you're trying to log onto, and in AuthAnvil.

Our best practice for dealing with this scenario is to create a grouped user in AuthAnvil that matches a user that exists on the server. (Or create a new one expressly for this purpose). This way, you can make anyone who needs access to the server a member of the grouped user.

If you want, you can set up different grouped users for each machine and control access that way, use the same one across all of them, or use any mix that works for you. 

In addition, you can set an Override Password or a local Override Group to control access for users who don't need to use a token to log in. Both the Override Password and Override Group can be configured using the AuthAnvil Logon Config control panel applet in control panel.

Remember, just because it’s not domain joined, that doesn’t mean that it doesn’t need to be protected. If you have any questions that you would like to see addressed here, please send them to support@scorpionsoft.com.

Posted at 11:49 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 20, 2010

AuthAnvil Credential Provider and Windows Desktop SoftToken “Work With” Windows Server 2008 R2

Logo-WorksWithwindowsr2 A little while ago we submitted both the AuthAnvil Credential Provider and the AuthAnvil Windows Desktop SoftToken for “Works With Windows Server 2008 R2” status, and I’m pleased to say that both have passed!

AuthAnvil and it’s agents have been designed from the ground up to take advantage of the technologies available to both the Windows client and server operating systems, such as IIS, SQL Server, and the .NET Framework, including ASP.NET. So, we’re happy to see that recognized, and look forward to earning logo status for Server 2008 R2 and Windows 7 for more of our products in the future.

Posted at 11:08 AM in Product News | | Comments (0) | TrackBack (0)

| |

August 19, 2010

Five by 5 - Episode 103: Secure remote access in SBS

Alright you SBS fans, a special episode of "Five by 5" just for you.

In this episode I talk about how to get the most out of your investment in Small Business Server by adding a complimentary security layer with AuthAnvil. From learning how to strengthen Remote Web Workplace (RWW) with RWWGuard to locking down VPN with AuthAnvil RADIUS, you will want to check out this episode if you are using SBS to allow staff to work remotely.

(If you can't see the video in your RSS reader, you can go directly to the video here)

Let us know what you think. Leave a comment on the blog, or send me an email to dana@scorpionsoft.com. And don't be shy... if there is something you would like to learn, let us know. It may be featured in an upcoming episode.

Posted at 08:59 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 18, 2010

AuthAnvil is now integrated into Autotask!

Have you heard? Autotask announced today that they have now integrated AuthAnvil into their IT business management platform. The result is an additional layer of security to compliment the safeguards in Autotask to offer identity assurance protection for your users when accessing the sensitive customer data stored there. You will gain confidence in knowing who is actually requesting such access to Autotask, and have a definitive method to audit and control all this through two-factor authentication.

And of course, you can use this same token to also log onto your favorite RMM tools like Kaseya and LabTech, as well as the Windows servers and desktops that you manage.

If you would like to learn more, go check out www.scorpionsoft.com/autotask/.

We are pleased to see Autotask complement its existing security infrastructure with AuthAnvil. The robust nature of AuthAnvil not only protects the critical information stored in Autotask users’ systems, that protection crosses over to their IT automation systems and secures remote access to client networks they manage. This is a perfect example of a better-together solution that truly benefits the IT community at large.

Way to go Autotask!


Posted at 09:58 AM in Press Releases | | Comments (0) | TrackBack (0)

| |

August 17, 2010

AuthAnvil Best Practice: Laptops

Ah laptops, once ugly, clunky behemoths, now an invaluable tool for students and anyone who wants to get a little work done outside of the office. However, operating outside of the office walls, these represent a special kind of vulnerability to the corporate network, as they face the risk of being lost or stolen, and their data or access to the corporate network compromised.

There are many tools available to protect the data on a laptop, and make sure that it cannot be accessed when the laptop is turned off, such as Microsoft’s Bitlocker. (You are running Windows Vista or Windows 7, right?) However, these machines are still vulnerable to having their passwords compromised through other means (such as social engineering), allowing an attacker to successfully log into Windows, especially if the laptop is taken while it is still powered on. In this scenario, the AuthAnvil Windows Credential Provider provides a useful extra layer of security by requiring the AuthAnvil token to be present at logon or unlock.

Today’s best practice is: Use the AuthAnvil Windows Logon Agent or Credential Provider on your laptops in addition to any security measures used to protect the data. You can enable cached credentials, so that users can log on up to 25 times without requiring an active Internet connection. You can also define an override password so that, if all else fails, the users can phone in and get the password to get access to their machines. You can find more information on the Windows Logon Agent and Credential provider by checking out the article in our documentation center.

Securing the data on your laptops is critical, so don’t leave a weakness in the form of the logon. As always, if you have any questions that you would like to see addressed here, please send them to support@scorpionsoft.com.

Posted at 07:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 16, 2010

A Simpler Way to Back Up Your AuthAnvil Server

I wrote a post a couple weeks ago on managing your AuthAnvil backups, and the response that we’ve received has been great. I’ve also had a number of questions to the support queue regarding how to use aabackup.exe, and how to figure out which SQL server AuthAnvil is installed to. With that in mind, we’ve written a little tool to make backups even easier: the AuthAnvil Backup Utility.

The backup utility is a simple vbscript; just double-click, and away you go. It’ll run through a couple checks to make sure that AuthAnvil is installed on the system, and figure out what version of AuthAnvil is running and give you the option to either backup now, or schedule a recurring backup.

image

The tool will automatically determine what SQL server and instance AuthAnvil 2.0 or later is using and run (or schedule) a backup, without any knowledge of the database system required by the user. This and many other cool tools are available from the AuthAnvil Diagnostic Tools page.

If you have any questions or comments, or have any tools that you’d like to see added to the diagnostic tools page, drop me a line at support@scorpionsoft.com and let me know.

Posted at 07:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

August 15, 2010

What we can learn from the Siemen's SCADA default password vulnerability

So last month it was made public that there is a sophisticated new piece of malware that targets a vulnerability in Siemen's SCADA system, used in the command-and-control software installed in the manufacturing plants and critical infrastructures around the world.

A hard-coded default password has existed since before 2008 that was made known in their public forums years ago. Malware authors have constructed a way to use this to their advantage to write hostile code that could infiltrate manufacturing systems to steal secrets from manufacturing plants and other industrial facilities in a sophisticated method of corporate espionage.

This is a very interesting way to weaponize such a vulnerability to covertly exploit Siemen SCADA systems. What's worse is that Siemen's has recommended NOT to change the default password as it may break the software, and impact critical operations tied to the system. Talk about being put in a hard place.

You may not realize it, but a recent security patch (MS10-046) by Microsoft is at the heart of this. A Windows shell vulnerability in .lnk shortcuts is how this was originally found. And this was how this attack originally manifested itself. According to some research at Symantec, this was originally targeted at industrial systems in Iran. Unfortunately, like most pieces of malware, it quickly went out of scope of the original attack and started affecting other systems.

The interesting part of this story for me is how a basic and fundamental piece of secure coding principles and practices was breached here. The fact that the SCADA system uses a hard-coded static password to connect to the MS-SQL database exposes the system to huge risk. And should NEVER have been acceptable. If you ignore how the payload was delivered in .lnk shortcuts, consider how easy it is for any sort of code, or simple human interaction, to gain access to this critical database. This is something we should all reflect on. Static passwords are ALWAYS a bad idea. Both for LOB software. And for logging into your servers and workstations.

At Scorpion Software, we look at the architecture of our software much differently. During threat modeling of AuthAnvil, it was clear to us that static hard-coded passwords are NOT a good idea. To communicate with MS-SQL we use Windows authentication to log into the database from the AuthAnvil web service. And the account we use to do that is a restricted account using least-privilege we create during installation, with the password stored securely using the Windows Data Protection API. The password itself is randomly created during install using the strongest possible password using the password policies of your domain controller. So it isn't known by anyone, and can only be accessed through our restricted account itself.

The result? You don't have to worry about this type of attack vector in AuthAnvil. There are no hard-coded passwords.

What else can we learn from this experience? Where else could we have hard-coded default passwords we should be aware of? Some places to consider include:

  • Your network based printers and photocopiers
  • Your wireless access points
  • Your managed switches
  • Your routers and firewalls
  • Your PBX system
  • Your cable or DSL modem
  • Network-based appliances (antispam, proxy servers etc)
  • etc, etc

What should you do if they DO have default passwords. Change them! And then add them to your password change management document to properly document and protect them. If you have a password management system, consider adding them in there. Don't have one? Consider storing them securely in your PSA system, or grabbing something like Thycotic's Secret Server and start. There will always be places where you will need static passwords. Places where strong authentication solutions like AuthAnvil just won't fit. In those cases, use a password management system that aligns better with your workflow. You can always protect their system with an AuthAnvil passcode. Secret Server itself can be protected with built in support for AuthAnvil. And systems like ConnectWise and Autotask have built in support for AuthAnvil authentication too.

Still have concerns? Feel free to contact us and we would be happy to discuss best practices on password management.

Posted at 11:28 PM in In the Trenches | | Comments (0) | TrackBack (0)

| |

Next »
Visit Our Company Website
Subscribe to this blog's feed

Categories

Archives

More...

Become a Fan

Connect With Us