FAQ on 2nd Auth
I’ve already received a number of questions about my secondary authentication tool, 2ndAuth. Here’s a few answers:
- You only show it working for Windows Server 2003 and Windows XP – does it work on other platforms?
Currently, we only support using it for Windows Server 2003 and Windows XP, although it’s possible that it might work in Windows 2000 Server. The technique used certainly won’t work in Windows Vista or Windows Server 2008, but I have plans to make a different version of the same idea to work there.
- Is this a custom GINA? Does it work with other custom GINAs?
This is definitely not a custom GINA, but it ties in to the WinLogon process that the GINA is required to call. As a result, on some custom GINAs, it’s possible that it might not work correctly, if the custom GINA does not call the WinLogon functions in the correct sequence or with the correct desktop visible. So, if you’re finding that it has issues with your custom GINA solution, try it without the GINA to see how it’s supposed to work.
- Does the secondary authentication prompt occur on all logons?
The prompt only occurs on interactive logons – these are logons that go through the GINA and WinLogon UI process. That means when you logon using Ctrl-Alt-Del at the desktop, or when you logon from a remote terminal session using Remote Desktop Protocol / Remote Desktop Connection. The prompt does not occur for service logons, batch logons, network logons, or any other non-interactive logons.
This is a good thing, as it means that you can use 2ndAuth to provide auditing on service account accesses, such that all interactive logons using the service account can be audited – you will finally know who is using that service account to illicitly get domain admin privileges!
- What are the plans for developing this in the future?
As I mentioned earlier, a Windows Vista version is definitely on the way. I’m thinking also that we would do well to have a little bit of User Interface to configure the shared accounts, and maybe a help file.
What do you want to see in the next version of this tool?
Oh, and of course the other thing we’ll be adding is a fee for its use.
One other feature I’m thinking of is to expand where the 2nd auth dialog pops up – perhaps there is reason to have it appear when unlocking a workstation.
- Couldn’t an administrator just disable the 2ndAuth DLL?
Absolutely. The whole point of this, however, is to keep people honest by making it easy for them to record who’s accessing a shared account. Your administrator could very easily abuse shared accounts with or without this tool, so it’s serving its purpose of making it less likely that a shared account will be used without some form of tracking.
And there are other tools that will alert you if a critical system file is removed or altered – you can make those tools watch the configuration and DLL for 2ndAuth to make sure that they are not changed.
I was very pleased to see Larry Seltzer at the PC Magazine Security Watch Blogs pick the original posting up – thanks, Larry!