none
Building a Security Response into Active Directory

    Question

  • Hi,

    Has anyone come across a product/Active Directory extension that allows a 'security response' to be added to a users profile.  For example, 'What was your first school?', which is used in addition to a username and password? basically the type of thing commonly found on web applications.

    I know you can implement a stronger 2nd factor authentication as a bolton that use security tokens, but I was looking for a way to slightly improve security without the expense or overhead of a token based 2nd factor solution.

    Thanks in advance.

    Wednesday, February 22, 2012 5:41 PM

All replies

  • How exactly do you envision the way this mechanism would work - and what exactly do you mean by "user profile"?

    You can populate various attributes of each user object - but I'm not clear how exactly you would want to take advantage of them to accomplish your goal. This is not something that's built into AD...

    hth
    Marcin

    Wednesday, February 22, 2012 5:48 PM
  • You won’t be able to achieve this without using a third party software and modifying the GINA.

    What are you trying to accomblish?


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Wednesday, February 22, 2012 5:49 PM
  • To clarify, I'm aware this isn't part of the standard MS AD product, I was looking for a 3rd party product that integrates with, or bolts onto AD to allows this?

    The idea being for remote users connecting to our network services either via a VPN, or even as simple as using outlook web access to remotely access email, I'd like to put these users into an AD group so that they are prompted for additional security information when authenticating with our AD environment and having this administered via an AD snapin.  

    It's the type of configuration some of the 2nd factor authentication system providers work to, on the basis that you enter your name and password, followed by a token generated string that is authenticated by their software, I'm looking for the same thing but replace the token generated string with a response to a security prompt and we're there, without the need to buy, issue, and manage security tokens.

    Thanks.

    Wednesday, February 22, 2012 6:11 PM
  • At which point exactly should users be "prompted for additional security information"?

    If you are referring to the scenario where the users connects via VPN - then this would be the feature of the VPN software you are using - not AD itself...

    hth
    Marcin

    Wednesday, February 22, 2012 7:53 PM
  • Howdie!
     
    Am 22.02.2012 18:41, schrieb MSAD197767:
    > Has anyone come across a product/Active Directory extension that allows
    > a 'security response' to be added to a users profile. For example, 'What
    > was your first school?', which is used in addition to a username and
    > password? basically the type of thing commonly found on web applications.
    >
    > I know you can implement a stronger 2nd factor authentication as a
    > bolton that use security tokens, but I was looking for a way to slightly
    > improve security without the expense or overhead of a token based 2nd
    > factor solution.
     
    That requires not only changes to Active Directory but also to the
    client OS to ask for the question and evaluate the answer.
     
    Off the top of my head, I am not aware of a product that does that. It
    is possible, though. FIM has capabilities that allow for password
    recovery in a similar manner.
     
    Cheers,
    Florian
     
     

    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.
    Wednesday, February 22, 2012 8:00 PM
  • Thanks for the response, I guess that may be my answer, there isn't a product that does this.

    As you mention Florian, there are a few 2nd factor authentication products that have this facility built into them, but only use it in the event of a forgotten password or lost token, however, non seem to provide the security reponse function alone as part of their product.  There are a few that offer token management from within the AD management snapin and I guess that may be as close as I can get from an off the shelf product, just may be a little overkill for what we need.

    Thanks again for taking the time to respond.


    • Edited by MSAD197767 Thursday, February 23, 2012 10:04 AM
    Thursday, February 23, 2012 10:04 AM
  • What you are asking for is to change the MSGINA, the front end screen for the entry of credentials.  You can change certain characteristics of its display but the actual authentication process itself is only handled by the o/s.  I am not aware of any thrid party product that can do this.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, February 27, 2012 1:07 PM
  • You will need 3th party software to achieve what you are looking for ( assuming you are talking about coming from outside to log onto company resources and not wanting to build such security for users inside the given Domain name space) and, in any case I do not think other solutions for dual authentication , will be any cheaper than what RSA is going to offer. If the concern is remote users, than invest into RSA + CITRIX solutions ( this is very common scenario)

    I think you need to lay down your priorities  and options accordingly. If security and double factor authentication is important
    for your business and you decided the invest , RSA  would be correct direction as many government
    and private business uses this technology. You could of course invest into other 3th party but In general to be stay on safe side, it is good practice to go with what is being used.

    Good Luck

    Ocd



    Oz Casey, Dedeal MCITP (EMA), MCITP (EA), MCITP (SA) Visit smtp25.blogspot.com Visit Telnet25.wordpress.com   This posting is provided AS-IS with no warranties or guarantees and confers no rights.



    Wednesday, February 29, 2012 9:27 PM