0

I have a server that I have technicians who need to be able to access using shared credentials. However, doing that violates our security policy (!). I need each user to be able to authenticate using their own credentials, but the server in question has to be logged in with a certain login (these two requirements are clearly diametrically opposed).

I thought that this would be a great application for a RADIUS server. I know how to setup RADIUS to go from Windows --> Cisco, but I have no idea how to use RADIUS to authenticate Windows --> Windows.

Can this be done? If so, how?

mfinni
  • 35,711
  • 3
  • 50
  • 86
drosenblatt
  • 3
  • 1
  • 2
  • Why do they need to use shared credentials? It seems like you might be using a sledgehammer to squash a fly. – MDMarra Jan 10 '11 at 16:53
  • We're using Ghost, which only supports one login (I've actually got several apps that have to use "specific" logins; this is just one). – drosenblatt Jan 10 '11 at 17:01

3 Answers3

1

Put the machine in your domain. Leave the application login on the console session. License it as a TS server and let them login to it via RDP with their domain accounts.

/edit- OK, I didn't understand that. My solution still works - if it's in the domain (or in a domain that trusts your domain), then they can authenticate and access via CIFS/SMB, or anything else that uses Windows authentication. To have Windows actually authenticate against something other than a local SAM or a domain, you have to replace the GINA, there is no built-in functionality for selecting other sources of authentication. that's what the GINA is for - if you want to use (or build) other authentication options. MS doesn't make any other GINAs, as far as I know. pGina says it will work with RADIUS, I haven't used it myself but I know that it's been around for quite some time.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Understood, but I'd really like to use RADIUS. They shouldn't have direct console access. – drosenblatt Jan 10 '11 at 17:41
  • Edited my answer based on your response. – mfinni Jan 10 '11 at 17:50
  • So I guess that's a no - RADIUS is only for remote systems (i.e. *outside* of Windows)...correct conclusion? – drosenblatt Jan 10 '11 at 19:33
  • 1
    Only a correct conclusion for a stock build. As I explained, you can get third-part components, that use the GINA framework/API from Microsoft (so this isn't a hack or exploit), to use other sorts of authentication. pGina specifically can use RADIUS; there may be others. It's also free, so that may be a plus. – mfinni Jan 10 '11 at 19:46
  • @James - I'm talking about GINA logins - via login prompt, SMB, etc. If you know a metho, without replacing the GINA, to use IAS (RADIUS) directly, then you can provide a different answer to the question. Please be more specific than "read the docs". – mfinni Jan 11 '11 at 14:21
  • @mfinni Re: GINA logins, yes I see that now. The cisco tag confused me. Helps if I read closer, I suppose ;). – JamesBarnett Jan 11 '11 at 14:36
  • Wanna take away your downvote too, please? – mfinni Jan 11 '11 at 14:52
  • Just to clarify to all...we a) don't want these users to logon to servers, b) want it loggable, and c) it would be good to do it remotely (e.g. RADIUS). Doesn't look possible... – drosenblatt Jan 11 '11 at 22:25
  • Question - what do you mean by "don't want users to logon to servers." What exactly (and I mean exactly) do you want them to do? How are they going to be using the server? – mfinni Jan 11 '11 at 23:00
0

Hmm ... an interesting question. A quick google, I came across a forum post that gave me an idea.

Dial-up Networking, use login via dial-up networking to login over a VPN. This might allow you track logins.

JamesBarnett
  • 1,129
  • 8
  • 12
  • This is an interesting tactic and might possibly work for RDP/console access, but drosenblatt explained that the users won't actually be coming in that way. – mfinni Jan 11 '11 at 15:32
0

Here's a crazy idea...

Have the techs each have their own logins but then runas a explorer shell for the shared account. That way the login of each tech is can be logged in Event Viewer but they can still access ghost program under it's specific login.

Think of it as the Ghetto Window's Sudo (TM).

First:

  • Create logins for each of the techs.
  • Make sure login's & privilege use is being logged by Windows.

To change to the shared account:

  • In a command prompt type: runas /user:sharedaccount cmd (To create a command prompt running as the shared account)
  • Ctrl+Alt+delete
  • Kill the explorer.exe process
  • In the shell window type: explorer.exe

To get back to the tech's personal account:

  • Ctrl+Alt+delete
  • Kill the explorer process
  • File --> New Task --> type: explorer.exe --> Click OK
  • Click on the start menu to confirm your explorer shell is running as the tech's personal account
JamesBarnett
  • 1,129
  • 8
  • 12
  • This won't work for reasons the requestor clarified in a comment on my answer - the users aren't going to be logging into the server via RDP/console. I assume they'll be using SMB/CIFS. – mfinni Jan 11 '11 at 15:31