Re: Allowing authorized remote users

From: Chiripia (chiripia44_at_earthlink.net)
Date: 10/23/04 

Date: Sat, 23 Oct 2004 00:39:02 -0700

Hi! It seems you are an expert. Well, I do have an problem that I'm trying to
resolve the issue. I'm talking about the PDI registry...as well the Product
Key in my PC. A relative of family helped to installed the WIXP Prof, which
upgraded from WI98 due to a "crash problem" couple of months ago in my PC.
He made a setup by a copy of his CD in my PC. Now, I was trying to install
WIXP Pack2, however, installation cannot be made due to a problem of ID# key
and Product Key that does not match in the configuration of my system. I do
have the CD for installation, however somethow cannot enter to download due
to this issue. Is there any way to fix this problem? Do I have to set up
another ID# and Prod key to upgrade for my PC? My PC is a old machine, real
old! but for some value sentimental...I'm keeping it and it already gave me
many troubleshooter (rebooting; error messages, etc) lately and I want to run
my system's configuration real smooth!! Can you help on this? THANKS!

"Vin McLellan" wrote:

> Mark queried the newsgroup:
>
> >Is there a way with Windows2000/2003 to register our company-
> >provided laptops on the network and only accept those when a
> >user dials in?
>
> MAC Address Authentication? MAA? Depending on your threat environment,
> you might consider allowing access to users on the basis of the Media
> Access Control (MAC) address that is burnt into each the Network
> Interface Cards (NICs) that you installed in the company laptops.
>
> This wouldn't be particularly robust gatekeeper in the face of a
> direct attack by a serious foe. A MAC can be forged or sniffed. A
> laptop can also be borrowed, stolen, or taken for a joyride by the
> employee's kids.
>
> If, however, all you want is a barrier to remind faithful employees
> that company policy prohibits the use of personal PCs to access the
> company network, MAA might be enough. You still see a lot of wireless
> APs relying on NIC MACs.
>
> The real problem is that MAA only authenticates the NIC, not the user.
>
> As S. Pidgorny <slavickp@yahoo.com> suggested, any serious threat
> environment should lead you to consider strong (two-factor) user
> authentication. It seems incongruous that you don't seem concerned
> about more trustworthy authentication and audit contols, Mark, when
> what you are looking for some mechanism to block illicit access by
> otherwise authorized personnel.
>
> Mr. Pidgorny and Tim Holman both urged you to consider strong
> authentication and/or multiple passwords: logon passwords, client
> certs, smartcards, or RSA SecurID one-time password (OTP) tokens, with
> any of the above perhaps butressed by a VPN.
>
> In many environments, proof that a remote user has a valid password,
> or even several passwords, doesn't seem enough, given the inherent
> vulnerabilities of a reusable static password. (Multiple passwords
> just don't cut it either. If an attacker can get one, he can probably
> get the others -- probably by using with the same technique that
> worked the first time.)
>
> Mr. P added:
>
> >And, in the end, if we are to deal with a malicious user, that
> >doesn't protect from modifying the SOE and running malicious
> >code!
>
> Perhaps not directly -- but if robust AAA permits you to identify the
> culprit, to a high degree of certainty, when bad things happen,
> doesn't that go a long way in establishing deterence?
>
> Pidgorny offered another suggestion:
>
> >A possible solution is to remove the SOE from the client and
> implement
> >thin-client based solution: use Windows Terminal Services and/or
> >Citrix.
>
> OTPs and other strong authentication mechanisms are also popular among
> Citix and WTS sites. Even after they have barricaded the SOE and can
> thus ensure the integrity of their data, those sites still have to
> worry about confidentiality and availability.
>
> No one can guarrantee that any technology can always block
> irresponsible behaviour or unauthorized access to protected resources
> -- particularly by trusted insiders -- but strong authentication and
> secure logs make accountability (and eventual retribution) far more
> feasible and realistic.
>
> By classical definition, of course, "strong authentication" requires
> the use of at least two of the three factors by which a remote
> computer can validate an identity claim by a pre-registered user:
> something known, something held, or something one is (a biomentric).
>
> With Microsoft's enthusiastic support, RSA -- which still dominates
> the enterprise market for token-based OTP authentication, as it has
> for the past 15 years -- is about to greatly expand the options
> available for using two-factor authentication in the Windows
> environment.
>
> Probably within days, RSA is due to release its new "SecurID for
> Windows" infrastructure. It will be free to RSA customers with the
> latest RSA ACE/Server, so it ought to pop up all over the place very
> quickly.
>
> "SID4Win" will replace the Windows login screen with a SecurID login
> screen, simplifying secure access. A batch of new RSA Authentication
> Agents will also extend SecurID access controls to:
>
> - internal XP desktops on the corporate network (even when they are
> temporarily disconnected from that network), and
> - Microsoft network domains, and
> - remote company PCs and road-warrior laptops which hold company data
> (even when they too are temporarily disconnected from the Internet).
>
> All this might be overkill for the threat environment Mark perceives,
> but it will be a muscular extension for the Windows security
> architecture for many others to consider. I've been a consulant to RSA
> for many years, and it seems a little off-topic to go into details
> here, so I won't.
>
> If anyone is curious, however, I described SID4Win at some length on
> one of the other Microsoft newsgroups a couple of days ago. See:
> <http://tinyurl.com/4vhdr>. RSA also has a SID4Win data *** at
> <http://www.rsasecurity.com/node.asp?id=1173>.
>
> The Devil is in the details, as always, but the details of SID4Win
> seem -- at least to my admittedly biased eyes -- elegant, ingenious,
> and thought-provoking. If anyone has any question about them, spin off
> another thread and I'll try to provide answers.
>
> Suerte,
> _Vin
>