Two-factor auth from the get-go: Eliminating Password1.

Posted by:

admin 9 years, 3 months ago

Yesterday, Dave Kennedy tweeted:

Hearing security folks say we should simulate advanced threat actors when companies still have “Password1” for their admins is a shame.

Why Password1?  When you setup the OS and you're prompted to create the admin password, it needs to something you can remember or your co-workers know.  You might have a process to create a random password, but then you paste it into a shared spreadsheet. That's no good either.  What you really need is two-factor authentication from the get-go - setup at the initial configuration.  Obviously, the OS maintainers can't do this.  You need to know information specific to your network and much of that information that needs to be secure.

Luckily, you can now start with an ISO of your favorite OS and use a configuration tool to build your server.

And we have a demonstration of how to do this. The examples are slightly more complex actually.  These packer scripts we released on GitHub build Centos-based servers that have OpenVPN pre-configured for two-factor authentication.  The commands used to configure two-factor authentication are:

cp  /root/rpms/pam_radius_auth.so /lib64/security/
mkdir /etc/raddb/
cp /root/rpms/server /etc/raddb/
cp /root/rpms/sshd /etc/pam.d/

The server file is what tells PAM where the radius server is and the shared secret.  The sshd file tell PAM to use the radius shared library which is copied in the first line.  Add the line:

cp /root/rpms/sshd /etc/pam.d/sudo

And two-factor authentication will be required for sudo and su too. You can do the same for login, but we recommend you have some way to get in if things go south.

With Packer you can create images for a bunch of virtual platforms. For hardware you will have to use a configuration, but there are plenty of those (Salt, Ansible, Puppet, Chef etc).

What do you get?

1.  Idempotent servers.  All the configuration are exactly the same.
2.  No static passwords for sshd, sudo or su. No more Password1 for admins.
3.  Using RADIUS allows you to perform authorization in your directory.

That last point is pretty important.  If you disable root access via ssh, disable su and use two-factor auth for sudo, then disabling a user in your directory will remove their admin rights.

The JP Morgan breach showed that organizations need to use religiously use configuration management tools.  These tools need to become part of server setup with security configured properly.   Our hope is that small organizations can use these scripts to build more secure systems remote access services.  We plan to add more security features to these scripts as well.

Note that this example uses two-factor authentication, because that's what we do, but it applies logging, auditing, back-ups, etc.  We need to make it dead simple to set things up securely from the start.  DevOps can help solve security issues - even if you aren't pushing 100 releases a day.

The hard part: how to do this in Windows.  Any thoughts on that?

• ← Belts and Suspenders Security
• Build your own cloud-based two-factor authentication service →