WARGAMES style security

At the beginning of the movie 'War Games', they had a scene in the missile
silo where 2 guys had to turn a key to launch a missile. We want the same
level of security present for server logins.

Is there a 1st or 3rd party option available that would require TWO
administrators to be physically present to log into a server/domain? We have
a client that needs VERY strong security and wants it to be impossible to log
in as an admin without 2 people being present and both logging in at once.
Please help me find out if this is possible, even if it is a custom
development job? Has anyone ever heard of this feature or is this the first
request?

Thanks in advance, you can also reply to thepiper @ one.net (no spaces) if
you would.

Phillip
Mon Aug 08 15:04:45 CDT 2005

How about locking it into a room that has two locks on the door with
different keys.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> At the beginning of the movie 'War Games', they had a scene in the missile
> silo where 2 guys had to turn a key to launch a missile. We want the same
> level of security present for server logins.
>
> Is there a 1st or 3rd party option available that would require TWO
> administrators to be physically present to log into a server/domain? We
have
> a client that needs VERY strong security and wants it to be impossible to
log
> in as an admin without 2 people being present and both logging in at once.
> Please help me find out if this is possible, even if it is a custom
> development job? Has anyone ever heard of this feature or is this the
first
> request?
>
> Thanks in advance, you can also reply to thepiper @ one.net (no spaces) if
> you would.
>

SecurityAdmin
Mon Aug 08 15:17:05 CDT 2005

Thats funny but the point is to add that level of security at a password
level so that no single person can log in the system alone. Has anyone heard
of this or a solution that would suffice? This is for a government or bank
scenario type of installation. Thanks.

"Phillip Windell" wrote:

> How about locking it into a room that has two locks on the door with
> different keys.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> > At the beginning of the movie 'War Games', they had a scene in the missile
> > silo where 2 guys had to turn a key to launch a missile. We want the same
> > level of security present for server logins.
> >
> > Is there a 1st or 3rd party option available that would require TWO
> > administrators to be physically present to log into a server/domain? We
> have
> > a client that needs VERY strong security and wants it to be impossible to
> log
> > in as an admin without 2 people being present and both logging in at once.
> > Please help me find out if this is possible, even if it is a custom
> > development job? Has anyone ever heard of this feature or is this the
> first
> > request?
> >
> > Thanks in advance, you can also reply to thepiper @ one.net (no spaces) if
> > you would.
> >
>
>
>

Steve
Mon Aug 08 15:23:50 CDT 2005

Yep, I've seen where one guy has 8 characters of a password, they enter
those 8, then tell the other admin to enter the final 8. This is observed
by a third person that makes sure that only one of them is at the keyboard
at a time.

This depends on the 2 not collaborating though. That works well in some
environments, and not so well in others.

What is the risk you are trying to mitigate that can't be overcome by the
loss of physical security in the first place?



"Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> Thats funny but the point is to add that level of security at a password
> level so that no single person can log in the system alone. Has anyone
> heard
> of this or a solution that would suffice? This is for a government or bank
> scenario type of installation. Thanks.
>
> "Phillip Windell" wrote:
>
>> How about locking it into a room that has two locks on the door with
>> different keys.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------
>>
>>
>> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
>> message
>> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
>> > At the beginning of the movie 'War Games', they had a scene in the
>> > missile
>> > silo where 2 guys had to turn a key to launch a missile. We want the
>> > same
>> > level of security present for server logins.
>> >
>> > Is there a 1st or 3rd party option available that would require TWO
>> > administrators to be physically present to log into a server/domain? We
>> have
>> > a client that needs VERY strong security and wants it to be impossible
>> > to
>> log
>> > in as an admin without 2 people being present and both logging in at
>> > once.
>> > Please help me find out if this is possible, even if it is a custom
>> > development job? Has anyone ever heard of this feature or is this the
>> first
>> > request?
>> >
>> > Thanks in advance, you can also reply to thepiper @ one.net (no spaces)
>> > if
>> > you would.
>> >
>>
>>
>>

Phillip
Mon Aug 08 15:35:42 CDT 2005

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:evVAYcFnFHA.948@TK2MSFTNGP10.phx.gbl...
> What is the risk you are trying to mitigate that can't be overcome by the
> loss of physical security in the first place?

Exactly,...screw the login and steal the machine. Put the drives into
another machine as slave drive then copy them, clone them, whatever.

I wasn't kidding or trying to be funny about the door with double locks.
The door to my servers has a combination security lock that only certain
people know the combination to,...it is not a two-person thing but it does
indicate that security is not just software. Software is too easily over
come once physical access is gained. We also have security camera's around
the facility that record everything.

They haven't given me a gun yet,...but maybe later. Well,..ok, that part
might have a little grin to it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Jupiter
Mon Aug 08 15:42:54 CDT 2005

That is not really funny, it is very real.
I have worked in places where no one person can have access.
There are NO exceptions.
It is controlled by 2 combination locks with no person having both
combinations.
It is a major security violation if one person has both combinations.
The combinations to the locks were change monthly or whenever a compromise
was suspected.
A system such as that to secure the server would give stronger security than
any password since physical access can bypass the password.

If less security is desired, give each person half the password as Steve
suggests.
You still have the potential problem with physical access.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


"Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> Thats funny but the point is to add that level of security at a password
> level so that no single person can log in the system alone. Has anyone
> heard
> of this or a solution that would suffice? This is for a government or bank
> scenario type of installation. Thanks.
>
> "Phillip Windell" wrote:
>
>> How about locking it into a room that has two locks on the door with
>> different keys.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------
>>
>>
>> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
>> message
>> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
>> > At the beginning of the movie 'War Games', they had a scene in the
>> > missile
>> > silo where 2 guys had to turn a key to launch a missile. We want the
>> > same
>> > level of security present for server logins.
>> >
>> > Is there a 1st or 3rd party option available that would require TWO
>> > administrators to be physically present to log into a server/domain? We
>> have
>> > a client that needs VERY strong security and wants it to be impossible
>> > to
>> log
>> > in as an admin without 2 people being present and both logging in at
>> > once.
>> > Please help me find out if this is possible, even if it is a custom
>> > development job? Has anyone ever heard of this feature or is this the
>> first
>> > request?
>> >
>> > Thanks in advance, you can also reply to thepiper @ one.net (no spaces)
>> > if
>> > you would.
>> >
>>
>>
>>

SecurityAdmin
Tue Aug 09 07:28:02 CDT 2005

This is actually the exact scenario i had suggested, but they want it to be
software-enforced at the kernel level if possible. thanks!

"Steve Clark [MSFT]" wrote:

> Yep, I've seen where one guy has 8 characters of a password, they enter
> those 8, then tell the other admin to enter the final 8. This is observed
> by a third person that makes sure that only one of them is at the keyboard
> at a time.
>
> This depends on the 2 not collaborating though. That works well in some
> environments, and not so well in others.
>
> What is the risk you are trying to mitigate that can't be overcome by the
> loss of physical security in the first place?
>
>
>
> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
> news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> > Thats funny but the point is to add that level of security at a password
> > level so that no single person can log in the system alone. Has anyone
> > heard
> > of this or a solution that would suffice? This is for a government or bank
> > scenario type of installation. Thanks.
> >
> > "Phillip Windell" wrote:
> >
> >> How about locking it into a room that has two locks on the door with
> >> different keys.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >> -----------------------------------------------------
> >> Understanding the ISA 2004 Access Rule Processing
> >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
> >>
> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> >>
> >> Microsoft Internet Security & Acceleration Server: Partners
> >> http://www.microsoft.com/isaserver/partners/default.asp
> >> -----------------------------------------------------
> >>
> >>
> >> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
> >> message
> >> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> >> > At the beginning of the movie 'War Games', they had a scene in the
> >> > missile
> >> > silo where 2 guys had to turn a key to launch a missile. We want the
> >> > same
> >> > level of security present for server logins.
> >> >
> >> > Is there a 1st or 3rd party option available that would require TWO
> >> > administrators to be physically present to log into a server/domain? We
> >> have
> >> > a client that needs VERY strong security and wants it to be impossible
> >> > to
> >> log
> >> > in as an admin without 2 people being present and both logging in at
> >> > once.
> >> > Please help me find out if this is possible, even if it is a custom
> >> > development job? Has anyone ever heard of this feature or is this the
> >> first
> >> > request?
> >> >
> >> > Thanks in advance, you can also reply to thepiper @ one.net (no spaces)
> >> > if
> >> > you would.
> >> >
> >>
> >>
> >>
>
>
>

SecurityAdmin
Tue Aug 09 07:29:33 CDT 2005

Thanks.This is a good suggestion and I will proffer it to the clients to see
how they feel about it. What they asked us for tho was a software solution
that would enforce it at the login level. The half-password is a compromise
but if an SDK could be used to customize the login process that would be
ideal.

"Jupiter Jones [MVP]" wrote:

> That is not really funny, it is very real.
> I have worked in places where no one person can have access.
> There are NO exceptions.
> It is controlled by 2 combination locks with no person having both
> combinations.
> It is a major security violation if one person has both combinations.
> The combinations to the locks were change monthly or whenever a compromise
> was suspected.
> A system such as that to secure the server would give stronger security than
> any password since physical access can bypass the password.
>
> If less security is desired, give each person half the password as Steve
> suggests.
> You still have the potential problem with physical access.
>
> --
> Jupiter Jones [MVP]
> http://www3.telus.net/dandemar
> http://www.dts-l.org
>
>
> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
> news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> > Thats funny but the point is to add that level of security at a password
> > level so that no single person can log in the system alone. Has anyone
> > heard
> > of this or a solution that would suffice? This is for a government or bank
> > scenario type of installation. Thanks.
> >
> > "Phillip Windell" wrote:
> >
> >> How about locking it into a room that has two locks on the door with
> >> different keys.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >> -----------------------------------------------------
> >> Understanding the ISA 2004 Access Rule Processing
> >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
> >>
> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> >>
> >> Microsoft Internet Security & Acceleration Server: Partners
> >> http://www.microsoft.com/isaserver/partners/default.asp
> >> -----------------------------------------------------
> >>
> >>
> >> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
> >> message
> >> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> >> > At the beginning of the movie 'War Games', they had a scene in the
> >> > missile
> >> > silo where 2 guys had to turn a key to launch a missile. We want the
> >> > same
> >> > level of security present for server logins.
> >> >
> >> > Is there a 1st or 3rd party option available that would require TWO
> >> > administrators to be physically present to log into a server/domain? We
> >> have
> >> > a client that needs VERY strong security and wants it to be impossible
> >> > to
> >> log
> >> > in as an admin without 2 people being present and both logging in at
> >> > once.
> >> > Please help me find out if this is possible, even if it is a custom
> >> > development job? Has anyone ever heard of this feature or is this the
> >> first
> >> > request?
> >> >
> >> > Thanks in advance, you can also reply to thepiper @ one.net (no spaces)
> >> > if
> >> > you would.
> >> >
> >>
> >>
> >>
>
>
>

Phillip
Tue Aug 09 08:45:25 CDT 2005

Then you should contact Microsoft instead. Perhaps they would be willing to
design something like that for a special situation,...we are not able to
speak for them here.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



"Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
news:FBC16B91-2991-469C-BBDC-4E8507000FE8@microsoft.com...
> Thanks.This is a good suggestion and I will proffer it to the clients to
see
> how they feel about it. What they asked us for tho was a software solution
> that would enforce it at the login level. The half-password is a
compromise
> but if an SDK could be used to customize the login process that would be
> ideal.
>
> "Jupiter Jones [MVP]" wrote:
>
> > That is not really funny, it is very real.
> > I have worked in places where no one person can have access.
> > There are NO exceptions.
> > It is controlled by 2 combination locks with no person having both
> > combinations.
> > It is a major security violation if one person has both combinations.
> > The combinations to the locks were change monthly or whenever a
compromise
> > was suspected.
> > A system such as that to secure the server would give stronger security
than
> > any password since physical access can bypass the password.
> >
> > If less security is desired, give each person half the password as Steve
> > suggests.
> > You still have the potential problem with physical access.
> >
> > --
> > Jupiter Jones [MVP]
> > http://www3.telus.net/dandemar
> > http://www.dts-l.org
> >
> >
> > "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
message
> > news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> > > Thats funny but the point is to add that level of security at a
password
> > > level so that no single person can log in the system alone. Has anyone
> > > heard
> > > of this or a solution that would suffice? This is for a government or
bank
> > > scenario type of installation. Thanks.
> > >
> > > "Phillip Windell" wrote:
> > >
> > >> How about locking it into a room that has two locks on the door with
> > >> different keys.
> > >>
> > >> --
> > >> Phillip Windell [MCP, MVP, CCNA]
> > >> www.wandtv.com
> > >> -----------------------------------------------------
> > >> Understanding the ISA 2004 Access Rule Processing
> > >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
> > >>
> > >> Microsoft Internet Security & Acceleration Server: Guidance
> > >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> > >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> > >>
> > >> Microsoft Internet Security & Acceleration Server: Partners
> > >> http://www.microsoft.com/isaserver/partners/default.asp
> > >> -----------------------------------------------------
> > >>
> > >>
> > >> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
> > >> message
> > >> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> > >> > At the beginning of the movie 'War Games', they had a scene in the
> > >> > missile
> > >> > silo where 2 guys had to turn a key to launch a missile. We want
the
> > >> > same
> > >> > level of security present for server logins.
> > >> >
> > >> > Is there a 1st or 3rd party option available that would require TWO
> > >> > administrators to be physically present to log into a
server/domain? We
> > >> have
> > >> > a client that needs VERY strong security and wants it to be
impossible
> > >> > to
> > >> log
> > >> > in as an admin without 2 people being present and both logging in
at
> > >> > once.
> > >> > Please help me find out if this is possible, even if it is a custom
> > >> > development job? Has anyone ever heard of this feature or is this
the
> > >> first
> > >> > request?
> > >> >
> > >> > Thanks in advance, you can also reply to thepiper @ one.net (no
spaces)
> > >> > if
> > >> > you would.
> > >> >
> > >>
> > >>
> > >>
> >
> >
> >

SecurityAdmin
Tue Aug 09 09:50:45 CDT 2005

Actually I already have a case open with them. Amazingly nobody has ever
asked them for this ability before. It probably is going to be a custom
build. If its for a highly secure environment its probably worth the $ to
implement the security they want. Thanks for the feedback to all.

"Phillip Windell" wrote:

> Then you should contact Microsoft instead. Perhaps they would be willing to
> design something like that for a special situation,...we are not able to
> speak for them here.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
> news:FBC16B91-2991-469C-BBDC-4E8507000FE8@microsoft.com...
> > Thanks.This is a good suggestion and I will proffer it to the clients to
> see
> > how they feel about it. What they asked us for tho was a software solution
> > that would enforce it at the login level. The half-password is a
> compromise
> > but if an SDK could be used to customize the login process that would be
> > ideal.
> >
> > "Jupiter Jones [MVP]" wrote:
> >
> > > That is not really funny, it is very real.
> > > I have worked in places where no one person can have access.
> > > There are NO exceptions.
> > > It is controlled by 2 combination locks with no person having both
> > > combinations.
> > > It is a major security violation if one person has both combinations.
> > > The combinations to the locks were change monthly or whenever a
> compromise
> > > was suspected.
> > > A system such as that to secure the server would give stronger security
> than
> > > any password since physical access can bypass the password.
> > >
> > > If less security is desired, give each person half the password as Steve
> > > suggests.
> > > You still have the potential problem with physical access.
> > >
> > > --
> > > Jupiter Jones [MVP]
> > > http://www3.telus.net/dandemar
> > > http://www.dts-l.org
> > >
> > >
> > > "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
> message
> > > news:217F3E9C-E949-4C01-837F-EFFFC5372105@microsoft.com...
> > > > Thats funny but the point is to add that level of security at a
> password
> > > > level so that no single person can log in the system alone. Has anyone
> > > > heard
> > > > of this or a solution that would suffice? This is for a government or
> bank
> > > > scenario type of installation. Thanks.
> > > >
> > > > "Phillip Windell" wrote:
> > > >
> > > >> How about locking it into a room that has two locks on the door with
> > > >> different keys.
> > > >>
> > > >> --
> > > >> Phillip Windell [MCP, MVP, CCNA]
> > > >> www.wandtv.com
> > > >> -----------------------------------------------------
> > > >> Understanding the ISA 2004 Access Rule Processing
> > > >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
> > > >>
> > > >> Microsoft Internet Security & Acceleration Server: Guidance
> > > >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> > > >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> > > >>
> > > >> Microsoft Internet Security & Acceleration Server: Partners
> > > >> http://www.microsoft.com/isaserver/partners/default.asp
> > > >> -----------------------------------------------------
> > > >>
> > > >>
> > > >> "Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in
> > > >> message
> > > >> news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> > > >> > At the beginning of the movie 'War Games', they had a scene in the
> > > >> > missile
> > > >> > silo where 2 guys had to turn a key to launch a missile. We want
> the
> > > >> > same
> > > >> > level of security present for server logins.
> > > >> >
> > > >> > Is there a 1st or 3rd party option available that would require TWO
> > > >> > administrators to be physically present to log into a
> server/domain? We
> > > >> have
> > > >> > a client that needs VERY strong security and wants it to be
> impossible
> > > >> > to
> > > >> log
> > > >> > in as an admin without 2 people being present and both logging in
> at
> > > >> > once.
> > > >> > Please help me find out if this is possible, even if it is a custom
> > > >> > development job? Has anyone ever heard of this feature or is this
> the
> > > >> first
> > > >> > request?
> > > >> >
> > > >> > Thanks in advance, you can also reply to thepiper @ one.net (no
> spaces)
> > > >> > if
> > > >> > you would.
> > > >> >
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
>
>
>

Patty
Wed Aug 10 01:17:14 CDT 2005

I wonder if you went to a smartcard technology where one person has the
card and the other person has the passwrod would work? Or use some
sort of biometric where one person has the credentials through
fingerprint or retinal scan and the other person has the password?

Smartcard may be a less expensive way than the biometrics....

Regards,

Patty

S
Wed Aug 10 05:24:42 CDT 2005

If you're really serious about the logon security, here's one way to achieve
dual logon: enable smart card logon and use a high-end HSM (hardware
security module) that requires two administrators to unlock the private key
(perhaps each using smart card). Obviously you'll need an HSM with Windows
CSP - ones from Eracom and nCipher will do, I believe.

However, there is a catch: if somebody will have access to the hardware,
they'll be able to modify the system and log on as a local admin. So you
also need to consider full disk encryption, which will be the security
bottleneck. the solution will be to have one admin to supply credential for
disk encryption, and another to do smart card logon.

So you have your options! :)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Security Admin" <SecurityAdmin@discussions.microsoft.com> wrote in message
news:3ABF2093-5C07-4C3D-BA98-1552B5DC5E9F@microsoft.com...
> At the beginning of the movie 'War Games', they had a scene in the missile
> silo where 2 guys had to turn a key to launch a missile. We want the same
> level of security present for server logins.
>
> Is there a 1st or 3rd party option available that would require TWO
> administrators to be physically present to log into a server/domain? We
have
> a client that needs VERY strong security and wants it to be impossible to
log
> in as an admin without 2 people being present and both logging in at once.
> Please help me find out if this is possible, even if it is a custom
> development job? Has anyone ever heard of this feature or is this the
first
> request?
>
> Thanks in advance, you can also reply to thepiper @ one.net (no spaces) if
> you would.
>