This post has been published under “Integrating Truecrypt with Active Directory”
Subscribe to feed
-
-
Categories
-
Archives
Integrating Truecrypt with Active Directory
December 5, 2011 – 7:36 AM
Not claiming any subject matter expertise in crytography but merely looking at Truecrypt as a potential candidate for enterprise use and the challenges faced by systems administrators managing such a tool.
(1) Asking users to change the truecrypt ( full disk encryption ) password when they change their domain account password every 60 or 90 days. Ideally, if it is the same password for both the Active Directory domain account and for Truecrypt, it can potentially reduce support calls.
(2) Allowing an IT security officer to recover the data when the password is forgotten.
For #1, it seems like there is no library available that can be used to set the Truecrypt password same as Active Directory domain password.
For #2, there are two options. One is to not do what is suggested in #1 but to actually have the user set a PIN that is known by designated administrators only or the security officer. It means when the domain password is changed, the user must be prompted to enter a PIN which is then saved in some central db, and retrievable by designated administrators of specified computers or by the IT security officer(s). It should also be possibly to store the unique information that is otherwise stored in the Truecrypt recovery disk ISO file in central db and then, reused to create an ISO so the admin or IT security officer can gain access to the system when required.
From zero to boot in 0 seconds !
September 20, 2011 – 12:01 PM
Simply leave your Microsoft(R) Windows(TM) based computer powered on, like you would leave your SmartPhone on all the time. That’s going from zero to boot in 0 seconds ! But that comes with a catch or problems (lots of them) that your systems administrators don’t want to deal with. If your computer could probe a network connection to your corporate network and perform tasks that are not performed during cached profile (off network login), you have a Windows system that is up and running 24 x 7.
Synergix Active Directory Client Extensions was developed with this design requirement in mind. It queues up tasks, from domain password expiration notification, to group policy refreshes, to running user logon scripts. That gives the business user a rich experience of corporate computing, without having to deal with the boot up time. Let’s be realistic; even if newer versions of Windows boot up in very short time, the annoying part is when you have to launch your applications like MS Outlook. You might as well caffeinate your blood streams even more till the machine is ready to use effectively.
So, with Synergix Active Directory Client Extensions software installed, do not shut down your computer and always be ready in 0 seconds !
Changing domain password over VPN
April 4, 2011 – 10:21 PM
In Active Directory environment, the default domain policy, specifically the password expiration policy, can cause resource access issues to VPN users who typically login with cached credentials. When their password is about to expire, they do not receive password change notification, which ultimately results in their account being locked out. This issue gets resolved by the users having to call the help desk to have their password changed. These service requests to the help desk translates into lost productivity and potential disruption of services to business users. Although sending EMail notifications is an option, it is not as effective solution for changing domain password over VPN. The users learn to treat such recurring notifications as spam and may start to ignore these password change notifications. Even otherwise significant number of remote users may read such notifications when they are offline and then, tend to procastinate the password change as it requires them to re-establish the VPN connection.
SYNERGIX Active Directory Client Extensions [ADCE] software allows VPN connected users (even those who login from computers in a workgroup environment or from an untrusted domain) to receive domain password notifications and to change the domain password seamlessly; there is no need to make any exception to the domain password policy or to apply fine-grained password policy. The users’ login and password change behavior remains the same as LAN connected users so no special instructions need to be provided to them. Upon establishing VPN connection to the corporate network, users are presented with a password change notification and then, with a secure form to change their domain credentials. The cached credentials are immediately synchronized with domain credentials and user continues with their normal business activities and without having to call the support desk.
For seemlessly changing domain password over VPN and reducing your support costs, visit www.synergix.com for more information on their Active Directory Client Extensions software.
Group Policy Updates
April 3, 2011 – 9:13 AM
Group Policies apply when the computer starts up or when the user logs in. And after that event, every 90 minutes on a domain computer. This may work very well for LAN connected computers, however, for remote computers that generally start up without being connected to corporate network and the user logs in with cached credentials, the event based Group Policy refreshes are completed missed. And in such cases, it requires for the user to remain logged in for an extended period of time (90 minutes) for the policies to download and to apply over the VPN connection. The point is it leaves the remote computers in an unpredictable state and the administrator is never sure if the group policy updates are successfully applied on every remote computer.
There are workarounds for sure. You can have the user run gpupdate command, for instance, create a shortcut on their desktop and have them launch it every so often. But that’s not enterprise IT administration; that’s band-aid. Oh and how about the case when you change the group membership of computers and users; how do they get updated when the remote computer starts off offline and the user logs in with cached credentials ? That’s truly a catch 22 situation. Surely, you can use the ‘Dial Up networking’ to initiate a VPN connection and then, login but honestly how many companies can leverage that option when VPN legacy client software or SSL based VPN solutions are more popular.
Active Directory Client Extensions by Synergix has a feature where the Group Policy updates occur immediately after the user connects to corporate network. Yeah, it is VPN client software agnostic and works on Windows 2000 Professional to Windows 7.0, both x86 and x64 platforms. With Active Directory Client Extensions, there is no need to wait for up to 90 minutes for the policies to download and to apply.
Visit www.synergix.com and download Active Directory Client Extensions. Install is a breeze and configuration is all Group Policy based.
Duplicate DNS records
April 3, 2011 – 2:12 AM
DNS Scavenging is a feature that must be enabled so the stale duplicate DNS records or stale DNS records get deleted safely and after performing necessary checks and balances. However, it comes with its own set of challenges. Administrators managing desktops and laptops have to work with DHCP Lease period and DNS Scavenging no-refresh and refresh period in order to have the systems working optimally. For example, an administrator may configure the DHCP Lease Period to 8 days for LAN connected computers and the DNS Scavenging ‘no refresh interval’ and the ‘refresh interval’ to 7 days each. Such a configuration in DNS server will ensure that the records are not updated too often otherwise causing replication to occur frequently.
Now consider this scenario, our typical roaming laptop users connecting via on campus WiFi network or VPN client from anywhere, anytime. With multiple DHCP servers , VPN concentrators supporting roaming user base and with DNS updates allowed on several DNS servers, a significant number of such computers can get different IP addresses assigned at different times on the same day, resulting in duplicate DNS records. Although the client computers will resolve resource servers normally, inbound connections from management consoles is impacted. This duplicate DNS records issue is very common and impacts MS SMS, MS SCCM administrators who may use remote helpdesk or remote desktop features to troubleshoot issues. The name resolution due to duplicate DNS records can result in connections made to wrong computers. And what about DNS Scavening ? ‘Patience is a virtue’ they say but for how long ? 7 days, 15 days. I think even 1 day of waiting is testing the patience of many. So, Houston, we have a problem.
And here comes Active Directory Client Extensions ( ADCE) by Synergix to the rescue. With Active Directory Client Extensions, the DNS Management or rather the DNS Scavening is performed by the DNS client computer. What a concept ! Machines create a mess, machine clean up their own mess. This is like me telling my 12 year old to clean up his room, not every weekend but every time he creates a mess.
Good thing is Active Directory Client Extensions ( ADCE ) does not require any changes to the Active Directory infrastructure; no need to install any software on any Domain Controller or a server, no schema changes and yet the magic happens. Simply download and install the MSI formatted package on a Windows computer with .NET Framework 3.5 SP1 and sit back and relax.