01-19-2010 11:37 AM
We are running the 6.5R1 IVE OS. The Auth server type is Active Directory / Windows NT (MS Server 2008)
We have a problem where people are using generic accounts for various tasks or services. In an ideal world there wouldn’t be generic accounts but I guess this is something we have to deal with. These accounts most of the time are using weak or “incremental” passwords ex: jan2009, jan2010 etc... that are known by a bunch of users.
My concern is that when people leave the company, in theory they can use these accounts to log back using the SSL VPN since they are part of the domain.
I am wondering how we could block these accounts.
Changing the password every time someone leave the company is not a viable alternative, but for now maybe the only one.
I can think of a 2 factor authentication solution (SecurID) but it could end in an expensive solution.
I am looking through SA settings trying to find a way to check for a specific windows group.
Anyone already implemented a solution which is effective in blocking generic accounts login?
Thanks in advance
Solved! Go to Solution.
01-19-2010 12:03 PM
We use a tier security system here. AD accounts as well as RSA keys. But I think our biggest thing is that we check for company owned machines. Our system checks the registry to see what domain you are attached to, but you could easily set it for a marker file or some obscure registry entry. That way only company owned machines can connect. (I think you can even use a certificate but I'm not positive about that).
Current version: 7.0R2 (build 16499)
Rollback version: 6.4R1 (build 14063)
01-19-2010 12:15 PM
Am I to understand then that you allow every username on your domain gain access to your VPN? That's quite a dangerous tactic... we avoided the whole problem by having a short approval process for gaining remote access (approval by your manager plus HR blessing based if you're salaried).
Issues with your practices aside, you could easily just Role Map the generic usernames/groups to a role with no actual access. Just map them to a blank role that you created that has no access... maybe even a warning at the top that says "Hey you shouldn't doing this". Then you could even track the attempted usage of those accounts through the logs.
02-03-2010 10:11 PM
If you know which accounts they are, and you control the AD, create a group name NOSSLVPNAccess and add all of these accounts to that group. Then create a new role-mapping rule and assign NO ROLES to it and map it to group NOSSLVPNAccess. Configure it to stop processing on match, and then move this rule to the top of your list.
If you're subject PCI or HPAA, etc, you should probably already have a NO-Access group for inactive/pre-terminated accounts anyway with a corresponding role-mapping rule. This way you don't have to make sure they're removed from any group they might be members of, you simply have to add them to the No-Access group.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
02-19-2010 10:55 PM
Create a new role mapping rule based on username (or group if they all exist on the same group) and put the usernames in the field to match. Do NOT select a role and enable the stop rule setting. After you save changes, move the rule to the top of the list. This will prevent those accounts from accessing services. The authentiction attempt will occur and no access will be granted; they will receive a login failure message.