Hi Tony,
I would think the only security risk with doing this is that if a laptop
is stolen, the entire contents of the directory, rather than just this
user's credentials, could be compromised.
In today's regulatory environment, where full disclosure of compromises,
including theft of data-laden hardware or media, is often legally
mandated, this could be disastrous. Obviously, I could be over-reaching
here - I don't know anything about the organization and therefore about
relevant legislation, but you should think about that possibility,
if for no other reason than to assure yourself that it does not apply.
The operational impact of replicating ADAM all over the place is
that you're dropping a large-ish piece of software on many workstations,
and they don't really need it. There may also be more replication
traffic and load on the central server than you might want.
A simpler solution, I would think, would be for this app to cache
on disk an encrypted copy of the current user's LDAP object whenever
the user successfully authenticates to the central ADAM. If the user
wants to use the app offline, the app would detect the fact that the
hardware it's on happens to be offline at startup (that's easy to do),
and authenticate the user against the disk image of the last user object.
In case your vendor doesn't know how to tell whether a machine is online
-- give them this C++ code snippet to get them started:
// get the list of interfaces
rcode = WSAIoctl( s, SIO_GET_INTERFACE_LIST,
NULL, 0,
(LPVOID) iInfo, sizeof(INTERFACE_INFO) * MAX_INTERFACES,
&numBytes, NULL, NULL );
This approach is roughly how cached credentials in Windows allow users
to sign onto their laptops with domain credentials while disconnected.
Bottom line: this method is pretty simple, doesn't require any special
software running on the PC, and limits the impact of a theft or compromise
of the user's workstation.
Good luck,
--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com
****************************************************************************
Please visit M-Tech at the Gartner Symposium ITxpo:
At the WDW Dolphin Hotel near Orlando, FL, October 8-13, Booth #1428
http://www.gartner.com/it/sym/2006_/sym16/sym16_home.jsp
****************************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful.
****************************************************************************
On Wed, 4 Oct 2006, Tony Murray wrote:
I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3. I don't have
further details at this stage, but I believe the they are planning to use
the local ADAM instance to authenticate laptop users to an application
when they are off-line.
In addition to security concerns with this approach, I'm
not really comfortable with the idea of ADAM instances on
laptops being part of a configuration set. I had always
understool ADAM on XP to be used for a personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true).
Any thoughts on this?
Tony
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
