server

This is a placeholder for the upcoming Multi-Factor Authentication Project.

Quite some time ago I put together a proof of concept illustrating the relative simplicity by which a multi factor authentication system, sometimes referred to as two factor authentication could be established for web services.

My basic design concept was to use server-side technologies to create and store an authenticated session key having achieved strong authentication with the client browser.

A couple of design parameters that I set myself early on during the development stage was to ensure ease of integration with existing web sites and the lowest possible cost in development time and maintenance while achieving the primary goal of strong authentication.

Having achieved this basic concept (a demo site can be seen at http://www.david-c-evans.com/mfa) I have now decided to breath new life into the project and improve upon the design while hopefully streamlining the and enhancing the code.

**NOTE: There appears to be a problem with the demo site login right now. I will fix this very shortly. ** - ALL FIXED NOW!!!

This time around my goal is to build upon the original design and include mutual authentication aspects along with adopting a 'captcha' style element for masking the extended authentication request from the server.

To track the design enhancements I have decided to resurrect the forum once attached to this site to show code changes and improvements to this new release not only by myself but also any other individuals who wish to contribute to the project. Of course I am providing this as an Open Source development effort for all to use as they see fit.

I'll update this page when I have the code available for download as a package along with the relevant SQL backend.

Until then watch this space!

Controlling what information can be moved around via thumb drives, i-Pods, cameras and other forms of removable storage media has gained a lot of focus over the past 12-months. It's not to say the need hasn't been there for much longer, because it has, just that media attention following exposure and loss of personal information, for instance social security numbers, has resulted in auditor attention.

There are a number of third-party products that claim to control usage of and the functionality thereto in terms of read or read-write capability for USB storage devices, however, in my experience the simplest approach is usually the only approach that stands the test of time.

What I am referring to here specifically is the control through local security settings and in the case of Windows also through Group Policy and Active Directory.

The NSA have produced a rather enlightening document that not only addresses the need as relates to Microsoft Windows but also that of Linux and Solaris (both 9 and 10) as well as Mac OS X. For further reading you may find the document here on this site or directly from the NSA, here.

Unfortunately this document does not cover the currently available Windows 2003-based Domain and Active Directory.

Windows Vista has a number of additional Administrative Templates that provide better 'out of the box' control of such devices. (It is out of the scope of this post to validate whether exporting any of these templates and subsequently importing them into 2003 would provide this additional functionality and as such I would love to here from anyone that has pursued this direction either from a successful or unsuccessful perspective.)

For now, we have another way. The Administrative Template attached to this post here and listed below may be imported into the active directory domain template in your domain and enabled to effectively provide read-only access to USB devices. This policy change will not disable the usage of any USB powered keyboards or mice.

As mentioned earlier in this post, there are a number of third-party products that report to control access in a similar fashion but most if not all that successfully achieve this are commercial products. Windows Group Policy is an integral, necessary component of any Windows-based Active Directory domain and can be enabled to offer a potentially similar albeit basic level of control at a price acceptable to all.

If you wish to take the level of control even further you may utilize the information found here at the Microsoft web site to disable other devices such as CD-ROM, Floppy and LS-120 drives also.

If there are any errors or omissions to the methods described by the NSA document attached or by the Microsoft website that have subsequently surfaced through user testing please let us know so we can all share from your experiences.

I hope you find this information useful.

Thanks.