On Mon, Jan 18, 2016 at 12:06 PM, Grant <emailgr...@gmail.com> wrote: > > I am 100% web-based. I don't want to administrate machines outside of > my LAN so I can imagine a Chromebook would end up vulnerable > eventually.
The whole point of chromebooks is that they auto-update in a timely fashion, and have a guaranteed end-of-life policy years into the future. Sure, not quite as far as Microsoft guarantees, but nobody runs a Windows laptop for even the length of a typical Chromebook EOL. The chromebook also has secure boot and a signed OS, so if it is corrupted it will go into recovery mode. You just stick a USB drive with a rescue image on it (which you can create from any PC with a chrome browser or an installer) and it fixes itself. I don't think you can even turn off auto-updates - they're designed to be idiot-proof. I'm not sure if as an enterprise administrator you can set up a policy to force a reboot to update within n days or such if it hasn't been shut down already after an update. In any case, if you aren't going to own the client hardware, you basically are going to have to assume it is vulnerable since nobody maintains their PCs well. That means keyboard sniffing, cookie stealing, and so on. If you're web-based a hostile browser could just open another session in the background after the user authenticates (2-factor or otherwise) and do whatever it wants to. Granted, I don't know if anything is out in the wild which actually does this, and it would probably need to be somewhat targeted to work (unless somebody has a rootkit that just lets them interactively fire up another browser on a VNC display or something using the same browser session). Sure, a Chromebook will cost you $150, but that seems like a token expense for an employee and it buys you a LOT of security. You can do the same thing on another OS, but you're going to end up adding on a lot of stuff on top of the OS to make it work, and I'm certain the administrative overhead would be much higher. A chromebook is basically what you get if you take a linux desktop and lock everything down with TPM support and secure boot - they're even based on Gentoo. Sure, you can DIY, but you're not going to do better without the hardware support. > Someone mentioned 2-factor authentication which sounds interesting. > Are there good options for that besides SMS and Google Authenticator > (or a similar mobile app)? Is there a good 2FA server in Portage? Is > 2FA ever defeated in real life without the user's phone? Do you mean you don't want something that involves typing in a TOTP or similar? Google Authenticator just uses RFC 6238 so you can use any other compliant client to generate the codes - I'm sure those exist for Linux, but if you're going to do that you might as well just use an RSA-based authentication since if you can steal the client key you can steal the RFC6238 key. The whole point of 2-factor is that the second factor tends to be something that isn't on the same PC as the client. There is a PAM-based authenticator in portage for Google Authenticator, which again should work with anything RFC 6238 compliant. I use it for ssh password logins and it works great (well, aside from having to reach for my phone anytime I log in via an untrusted computer). A much older option is s/key. I'm sure that is still around as well, but I don't think it really has any advantages over RFC6238. -- Rich
