Can anyone explain the pre-logon feature that is now part of GP. Specifically how I could use it to launch AD login scripts one a user have authenticated via GP.
Solved! Go to Solution.
Is it only user certs that will be used or can a machine cert be used aswell (or is this just semantics)?
Im thinking that this feature can be used so the machine will have a tunnel setup automatically during boot (this way the box can be remotely administrated etc without user interaction) and when the user logins the same tunnel is used but userid will identify the particular user (through pan-agent like AD, WMI, Server logs etc).
Which as a bonus question: What about using userid as machineid?
For example how to accomplish if I want a particular or a group of particular machines be able to reach certain resources before the user is logged in on the device?
Because "pre-logon" is to wide as definition...
Can you explain how two factor authentication fits into the picture? The idea off pre logon features is a good one, but what happens to a laptop that is stolen? If the tunnel is created pre logon doesn't this cause a security issue as it would effectively create a back door on to the network?
re the certs, does the pre logon sequence use the certs that have been specified the potral client configuration?
Regarding the stolen question:
1) Since the stolen box will setup a mandatory always on vpn during boot you can send a kill switch signal to it next time it connects to your infrastructure (that will overwrite the keys/certs and then start to overwrite the rest of the sensitive areas and finally reboot itself).
2) If you dont do the kill switch stuff then add the stolen box machine cert to your CRL so next time it tries to establish this VPN against your infrastructure the concentrator will just give the client a longfinger in return.
That presumes the IT department know about the theft and it presumes the IT Help desk follows the correct processes for dealing with an incident. What happens when a laptop is stolen over the weekend and there is no Help desk cover? at the very least the laptop could have 48 hours access to the commercial network before it's logged as stolen?
For example you steal a laptop, you stick cain & able on it and dump the LSA table from it. You then log in as the domain user and have full access to the network. If this scenario can't happen then please correct me? if it can it does seem like there are to many varibles at play to consider this pre-logon funciton a secure one.
That aside to test the pre-logon function out is it just a case of ensuring the GP configuration has a valid certificate that the PC knows about and then selecting the pre-logon funtion within GP client settings?
Well of course you need to educate your users so the moment they think the laptop is gone should pull up their cell phone and phone the IT department so the box can be blocked or killswitch signal sent and then phone the police to issue a police report etc.
The point of "pre-logon" is that only the basics are allowed through your inner firewalls.
For example only thing allowed with "pre-logon" will be stuff like (which is up to you as admin to decide):
- DHCP (if needed, often handled by the VPN itself)
- DNS (like own limited zone)
- AD (to authenticate)
- AV (to update your signatures)
- WSUS (to update your MS OS)
and basically thats it.
Not until the box is fully authenticated the user in front of the screen will have access to fileservers, mailservers etc.
If the thief can stick cain and abel on your remote device without problems you have for sure other security issues with your design - and this scenario can happen even without pre-logon (dump the SAM db locally from the computer and you in most cases have the AD admin and other high level useraccounts incl hashes in front of you - use the already installed user cert to pick up the VPN and voila you are AD admin).
Thats why you need other counter-measurements aswell... for example encrypt the harddrives (so it isnt just a matter of booting on Backtrack and dump the SAM db's), educate the users to phone the IT department as soon as they think their device has been stolen etc (there are other stuff to consider like the "evil maid" regarding when you use encrypted boot devices etc), dont leave your device on its own when you are outside the corporate building(s) and so on.
Thanks for the reply.
Our laptops are encrypted however there are some that aren't. Its easy to get around security polices locally on laptops using something like ERD commander which will allow you to create an admin user on the local PC - then you can run anything you want. Yes you can stop CD / USB access but your messing with functionality of the system.
I suppose we can adopt the policy of only allowing pre-logon functionality for encrypted laptops only.
Going back to my original question has anyone actually tested this? and is there anything to the configuration other that what i've listed above?
Anyone got any ideas on how this works? or detailed instructions for getting it to work.
I've noticed the pre-logon option removes the connect option from the GP client... interesting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!