Security flaw with GlobalProtect?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security flaw with GlobalProtect?

L2 Linker

Hi,

While setting up a computer with fingerprint authentication+windows password, I discovered that after installing GlobalProtect I could circumvent the whole two-factor authentication by choosing to login with GlobalProtect(clicking the GP icon in the login screen of windows, instead of using the "security key"). The OS used was Windows 8.1 x64.


Don't know if you're aware of this flaw, or if this is something that can be disabled in PANOS - though I don't think there's many people out there wanting this as a functionality :smileysilly:

1 accepted solution

Accepted Solutions

This is a Windows issue not GP.  GP is using the windows authorized toolkit to allow VPN login from the main prompt.  If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows.  There is nothing that GP can do to change this behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

6 REPLIES 6

L4 Transporter

Can you clarify what you mean about "clicking the GP icon in the login screen of windows". Is this an icon when you boot your Windows device?

It's the "sign in options" that you'll find in (at least) windows *8* and windows 2012 server - it's located below the password input. So, I can either choose the "key", which is the windows password (in this case two-factor with fingerprint), or I can choose GP, which then circumvents the whole fingerprint process, and lets me login using only the domain password, instead of domain password + fingerprint.


This could be prevented by implementing two-factor authentication on GlobalProtect - but that's not how it should be :smileysilly:

2014-10-23 13.27.41.jpg

ok, when i read your original post i thought you were just clicking the GP icon and it passed you in without a password. we  have not tried 2 factor with a fingerprint reader yet but I will be following this thread to see if a answer is provided for you.

Ah, sorry, I guess I could have explained it a little better.
Ok, thanks. I guess, at least it should be made possible to turn this setting on/off (remove the possibility of selecting the GP icon), and/or include the fingerprint information (or whatever two-factor authentication used) with the GP authentication, if it's even possible(?).

This is a Windows issue not GP.  GP is using the windows authorized toolkit to allow VPN login from the main prompt.  If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows.  There is nothing that GP can do to change this behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I agree with @pulukas.  Seem like @pasmartin should get ahold of your Enterprise TAM and get a ticket open with M$.

  • 1 accepted solution
  • 5786 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!