Re: Client certificates: security vulnerability?

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/16/04 

Date: Mon, 15 Nov 2004 18:55:20 -0500

There may also be similar timeout settings for the IPsec and TCP/IP sessions
on each client.

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23pUx7%231yEHA.908@TK2MSFTNGP11.phx.gbl...
> Hi Max,
>
> I am not sure if it will help, but you could try and use Session.Timeout
to
> control how long users can leave the web application idle before they need
> to authenticate again.
>
> Starting and Ending Sessions in ASP
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/starting_and_ending_sessions.asp
>
> Session.Timeout
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/ref_vbom_sesoptime.asp
>
> Next thing you can do is teach your users to always close the browser when
> they are done and to always lock their PC (Windows 2000 and newer).
>
> Since you are using Smart Cards, you could deploy "Smart Card removal
> behavior" group policy setting (in e.g. domain environment). E.g. if a
user
> takes out the smart card the screen locks... In combination with
> Session.Timeout this should provide some additional security -- still I
know
> it doesn't provide full proof solution.
>
> Interactive logon: Smart card removal behavior
>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/594.mspx
>
> Mike
>
> "Max Metral" <memetral@hotmail.com> wrote in message
> news:eQJkq31yEHA.2980@TK2MSFTNGP10.phx.gbl...
> > So I have an application that uses client certificates on smart cards.
> > The problem is that if you "login" to a web site using the cert, and
then
> > pull the smart card, the session stays valid, for a long time.
> >
> > I think I understand what's happening, namely that the SSL session has
> > been negotiated and therefore nobody cares that the underlying private
key
> > is gone. But this seems like a gaping hole of sorts, and I wonder what
> > one could do to close it in a particular application?
> >
> > Thanks
> > --Max
> >
>
>

Relevant Pages

  • Re: Client certificates: security vulnerability?
    ... Session.Timeout has nothing to do with SSL sessions. ... > user takes out the smart card the screen locks... ... > Interactive logon: Smart card removal behavior ...
    (microsoft.public.inetserver.iis.security)
  • Re: Linksys router and AS/400-iSeries Client Access
    ... > 5250 sessions, and I have the same situation, even if I configure Mochasoft ... > connect to my network using VPN first, ... who responded asked why I was using a firewall if I'm ... I'm now connecting to a different business client ...
    (comp.security.firewalls)
  • RE: Workstations Lock Up
    ... it seems to be a pure client issue. ... If you use classic logon instead of the Smart Card logon, ... Microsoft Online Partner Support ... >Have implemented smart cards on one of the workstations, ...
    (microsoft.public.windows.server.sbs)
  • Re: Smart client - general data access best practice question
    ... Bandwidth usage is minimal - firstly the sessions are stateful so its only ... We are looking forward to playing with XAML - I believe the server could ... >> has a particular schema that the client understands. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: [PHP] Re: a question on session ID and security
    ... key to identify the users data, then get the "secondary hash key" from ... authenticate that client are stored on the client. ... accepting the one cookie without bothering to authenticate it in any way. ... Sessions should be use to... ...
    (php.general)
Quantcast