Security flaw with GlobalProtect?

Reply
Highlighted
L2 Linker

Security flaw with GlobalProtect?

Hi,

While setting up a computer with fingerprint authentication+windows password, I discovered that after installing GlobalProtect I could circumvent the whole two-factor authentication by choosing to login with GlobalProtect(clicking the GP icon in the login screen of windows, instead of using the "security key"). The OS used was Windows 8.1 x64.


Don't know if you're aware of this flaw, or if this is something that can be disabled in PANOS - though I don't think there's many people out there wanting this as a functionality :smileysilly:


Accepted Solutions
Highlighted
L7 Applicator

Re: Security flaw with GlobalProtect?

This is a Windows issue not GP.  GP is using the windows authorized toolkit to allow VPN login from the main prompt.  If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows.  There is nothing that GP can do to change this behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Security flaw with GlobalProtect?

Can you clarify what you mean about "clicking the GP icon in the login screen of windows". Is this an icon when you boot your Windows device?

Highlighted
L2 Linker

Re: Security flaw with GlobalProtect?

It's the "sign in options" that you'll find in (at least) windows *8* and windows 2012 server - it's located below the password input. So, I can either choose the "key", which is the windows password (in this case two-factor with fingerprint), or I can choose GP, which then circumvents the whole fingerprint process, and lets me login using only the domain password, instead of domain password + fingerprint.


This could be prevented by implementing two-factor authentication on GlobalProtect - but that's not how it should be :smileysilly:

2014-10-23 13.27.41.jpg

Highlighted
L4 Transporter

Re: Security flaw with GlobalProtect?

ok, when i read your original post i thought you were just clicking the GP icon and it passed you in without a password. we  have not tried 2 factor with a fingerprint reader yet but I will be following this thread to see if a answer is provided for you.

Highlighted
L2 Linker

Re: Security flaw with GlobalProtect?

Ah, sorry, I guess I could have explained it a little better.
Ok, thanks. I guess, at least it should be made possible to turn this setting on/off (remove the possibility of selecting the GP icon), and/or include the fingerprint information (or whatever two-factor authentication used) with the GP authentication, if it's even possible(?).

Highlighted
L7 Applicator

Re: Security flaw with GlobalProtect?

This is a Windows issue not GP.  GP is using the windows authorized toolkit to allow VPN login from the main prompt.  If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows.  There is nothing that GP can do to change this behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Highlighted
Cyber Elite

Re: Security flaw with GlobalProtect?

I agree with @pulukas.  Seem like @pred-martin should get ahold of your Enterprise TAM and get a ticket open with M$.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!