Note: Please do not confuse VMware View SSO with VCenter SS0, they are not the same.
VMware View single sign on (SSo) is enabled by default which is excellent. The bad thing is that the default timeout setting is set to infinite which is very insecure. Not having a timeout setting by default means a bad guy could go behind you while you’re taking a bathroom break and back out to “Desktop Library” and choose a different vm that you are entitled and SSO will take the bad guy in without prompting for credential.
The fix is documented since 4.6 release http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-DB5C245D-AD48-4598-A7C6-C8FC75FC3339.html
Multiple site shows you how to use Windows built in tools ADSI EDIT but I could see why few folks still gets lost using the instruction. If you follow this instruction, I can guarantee success.
1. Open ADSI EDIT from one of the clustered View Connection Server. Tip: c:\windows\system32\adsiedit.msc
Without any spaces type “cn:common,ou=global, ou=properties,dc=vdi,dc=vmware,dc=int” to connect to “localhost”
2. Right click the “Common” folder and change the value of “pae-SSOCredentialCacheTimeout” from “-1” to whatever value you want in minutes (mine is 5 minutes). Hit apply.
This will replicate to all the View Connection Server replicas. I hope you take the time to close this neglected security hole. I wish VMware have chosen a more secure default value or include this on the Web Interface but no big deal.
I have spent my time for the past few weeks configuring Cisco Secure ACS Tacacs+ for Active Directory authentication and authorization. The AAA accounting for change management however prove to be difficult. I have used and setup the “Archive” feature for years now, however I did not know that I can send this to a syslog using “notify syslog”. I actually prefer the “Archive” than the AAA accounting, it is so much simple to setup.
Switch(config-archive-log-cfg)#logging size 500
Switch#sh archive log config all
The configuration I have above will track the user and all the command he/she issues and store in on the local switch as well as send it to syslog. May be next article I can do Cisco Secure ACS, but there’s really nothing special there, although I am using the vm version of ACS v5.3 which is probably worth mentioning.
Certificate Revocation List (CRL) are important for smartcard authentication architecture. I have mine configured just in case our web connection goes down, user’s will still be able to login using smartcard. This is ever more important for DoD networks since it is mandated to use smartcard for Windows authentication. The other alternative for CRL is OCSP, which is the preferred protocol since it uses so much less network resource but does not offer protection when internet connection goes down. I’m not going to do an in depth explanation of the two since that is not my intention for this blog.
DOD has a nifty tool called CRLAutoCache for automated downloading of CRL. Unfortunately there is no place to specify a web proxy. Modern networks utilize webproxy for security purpose so I created a powershell that will download the ALLCRLZIP.ZIP and unzip it to an IIS server. FYI, this IIS server is also my WSUS so I did not introduce another IIS instance. You can just copy and paste the code and give it a .ps1 extension (mine is CRL_DOWNLOAD.ps1)
Here it is:
#Create by Totie Bash
#This part will download the zip
$wc = new-object System.Net.WebClient
$webproxy = new-object System.Net.Webproxy(“http://proxy:80”,$true)
$source = “http://crl.disa.mil/getcrlzip?ALL+CRL+ZIP”
$destination = “C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”
$wc.Proxy = $WebProxy
#This part unzips all
$shell = new-object -com shell.application
$zip = $shell.NameSpace(“C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”)
$destination = $shell.namespace(“C:\inetpub\wwwroot\CRL”)
Note: Sorry about this:
Line 4- proxy:80″ should read just “proxy:80” take off “″”
Line 5 – crl.disa.mil/getcrlzip?ALL+CRL+ZIP” should just read “crl.disa.mil/getcrlzip?ALL+CRL+ZIP” take off “””
– I then created a scheduled task to run every every 4 in the morning to execurte the CRL_DOWNLOAD.ps1 powershell. Note: I had to change the user that runs this process to “System” and checked “Run with highest privileges”
POWERSHELL -executionpolicy bypass “C:\WINDOWS\CRL_DOWNLOAD.ps1”
– After that I then point my Tumbleweed Desktop Validator (or any DV software) to the interal CRL address as my primary validation and push the config through GPO.