Share the Love
Secure Shared Workstations and Fast User Switching with Novell SecureLoginSecure Shared Workstations and Fast User Switching with Novell SecureLogin
Written by Ken Baker
Whether you work in health care, education, retail, manufacturing, financial, or government environments, securing shared workstations can be a significant challenge. When users don't close their applications or simply leave the workstation without logging off, it can expose sensitive data to unauthorized users. On top of the security concerns, the fast-paced nature of many of these environments demands quick login and access to the applications within a shared workspace. This article provides answers to those challenges as presented in the Securing Shared Workstations with Novell SecureLogin session at BrainShare 2010 in Salt Lake City.
The ability of Novell SecureLogin and DAD to test for specific conditions and trigger predefined actions gives you the flexibility to change the behavior of a shared workstation according to the unique needs of your environment.
Fast and Secure
Novell SecureLogin is primarily known for allowing users to access network resources using a single set of credentials. Once users log in to a computer on the network, they are automatically authenticated to all of their single sign-on-enabled applications, databases and operating systems. Novell SecureLogin also lets you control access to applications and content based on time of day and URL. Kevin Prior, Novell Technology Specialist, pointed out during the BrainShare session that combining these features with the added Desktop Automation Services (DAS) in Novell SecureLogin creates the perfect formula for addressing your shared workstation challenges.
Previously a stand-alone component and once known as the Application Runner Shell (ARS), Desktop Automation Services (DAS) now ships with Novell SecureLogin 7. DAS runs as a local executable on a client workstation to specifically handle unique use cases associated with shared workstations or kiosks. DAS is able to execute selective and configurable lists of script-based user operations, such as mapping a drive, testing for or establishing an authenticated connection to a directory, and running or shutting down an application. The ability of Novell SecureLogin and DAD to test for specific conditions and trigger predefined actions gives you the flexibility to change the behavior of a shared workstation according to the unique needs of your environment. (See Figure 1.)
Thom Kerby, Senior Architect of Eos Systems, a Novell Platinum Partner participant in the BrainShare presentation, discussed how they were able to use DAS and the fast user switching in Novell SecureLogin to address the shared workstation needs of their customers in the health care industry. “Our customers might have three to five users accessing a single clinical workstation in an environment with patients and customers nearby,” Kerby said. “They needed a login that was between five to ten seconds, and an automatic logoff after a certain amount of inactivity to make sure no one could see or access any information.”
Eos Systems addressed this customer need using a setup similar to what Prior demonstrated during the BrainShare session. Using Novell SecureLogin and DAS they configured their customer’s shared workstations to log into a locked-down generic user account. Then when users presented a proximity card to the workstation’s card reader, Novell SecureLogin would execute a series of actions, including the following:
- Associate the user’s proximity card ID with an eDirectory user and then use that user’s universal password for authentication
- Make the appropriate applications available to the user based on Novell ZENworks policies
- Authenticate the user to the applications using single sign-on and load them
- Shut down the applications and log the user out upon a specified period of inactivity or logout
While all the above happens, the workstation remains logged in to Windows as the generic user, but Novell SecureLogin creates a single sign-on environment that uses identity-based services to differentiate each user’s Windows session based on either user attributes, the current location of the workstation or workstation attributes. As a result, the kiosk or shared workstation user will still have a login screen, but they’re logging into single sign-on instead of having to do a full Windows authentication each time. By doing this, Novell SecureLogin makes sure that when users authenticate to shared workstations it can quickly log them in and set up their prescribed desktop environments, while securing those environments with the appropriate controls and access rights.
Novell SecureLogin makes sure that when users authenticate to shared workstations it can quickly log them in and set up their prescribed desktop environments, while securing those environments with the appropriate controls and access rights.
To create this controlled environment with fast user switching and fast user login, a Novell SecureLogin DAS process runs on the workstation to monitor certain trigger events, test for conditions and then act in a prescribed manner as scripted in an actions.xml file. Some of the more commonly used trigger events and actions include the following:
- Execute a user specific action
- Run an application
- Close an application or all applications
- Map drives
- Check if the user is logged in to the directory
- Log the user out of the directory
- Hide the desktop
- Show the desktop
- Turn on the screen saver and lock the workstation
- Display a message box
- User logs in to eDirectory
- User logs into a LDAP directory
- User presses a predefined hot-key sequence
- Workstation goes into screen-saver mode
- Removal of a smart card is detected
- Workstation goes inactive for a specified period of time
- Removal of a pcProx card is detected
The following represents a sample action.xml that shows some of the basic functionality of a few of the Novell SecureLogin actions and triggers:
Sample actions.xml <?xml version="1.0"?> <application-runner-script> <action name="hidedesk"> <nds-logout /> <hide-desktop /> </action> <action name="showdesk"> <unhide-desktop /> </action> </application-runner-script>
In this example, the hide-desktop action hides the desktop, its icons and other programs after a user logs out of the directory and before a new user logs in to the directory. When a new user logs in to the directory, the unhide-desktop action can be used to display the desktop and its hidden icons and programs. It’s the behavior of these actions that facilitates fast user switching and logon for kiosks or shared workstations. Even though the workstation remains logged in as a generic workstation user, the desktop can remain hidden and locked until an actual user authenticates.
Depending on your needs, you can create a very basic or elaborate action.xml file. While you can create the file by hand, Novell SecureLogin provides a wizard that can help you construct the appropriate event triggers and actions for your shared workstations. When you launch the wizard, it allows you to select from a set of predefined actions and then customize them to address your specific needs. Likewise, it makes it easy to specify triggers for those actions.
When creating a sample action file that provides a quick login and logout for users, you might have it first test to see if the user has authenticated to a Novell eDirectory tree. If the user is not logged in, Novell SecureLogin can then hide the Windows desktop and launch Novell Client32 to allow the user to authenticate. When Novell SecureLogin detects that the user had logged into eDirectory, the script can initiate a new single sign-on session for that user, map drives and automatically launch several applications. When the user logs off, the action file can unmap the drives, shutdown the applications, end the user’s single sign-on session, and hide the desktop again. (See Figure 2.)
With one set of authentication credentials and fast user switching, Novell Secure Login can address the core IT challenges in your shared-workstation environment.
Complex Challenges, A Simple Answer
Even though every customer situation is a little bit different, Novell SecureLogin and DAS provide you the flexibility to adapt the actions and triggers to fit a variety of scenarios. One of the most typical use-case scenarios is the need to ensure that the previous user of a shared workstation is logged out, all the user’s applications are closed, and the workstation is ready for the next users without having to restart Windows or cause the new users to wait a significant amount of time for authentication. The bottom-line for this scenario is the need for fast user login or fast user switching, which Novell SecureLogin provides.
A common scenario in the healthcare industry would be that whenever nurses walk up to a workstation, they need to be able to log in quickly and be automatically authenticated to a certain set of applications. However, addressing the needs of the doctors might require you to handle things a bit differently, perhaps loading and authenticating a different set of applications. And since you want to make things as easy as possible for your doctors, you might create some custom shortcuts with big, easy-to-find icons that will quickly log them off or perform some other action.
To help ensure that sensitive information can’t be viewed or accessed by unauthorized individuals, you might use something like a pcProx sonar detector that can detect when logged in users walk away from their workstations. When that happens, it can trigger an action in Novell SecureLogin that starts the Windows screen-saver program and locks the workstation. After a pre-defined time interval of inactivity, you might have Novell SecureLogin automatically close down the user’s applications and log the user out. You can also configure it so if the user returns before the predefined interval, the screen saver will turn off and the user’s desktop will be displayed in its previously undisturbed state.
The flexibility in how you can employ the various event triggers and actions in Novell SecureLogin really make it easy to address a wide variety of shared-workstation and kiosk scenarios. In addition to the flexibility, Novell SecureLogin delivers the following key differentiating features:
- Shared credentials for Web single sign-on, enterprise single sign-on, and provisioning
- Automatic provisioning of single sign-on credentials through integration with the identity management system
- No additional hardware investment requirements, minimized administrative overhead, simplified user management, improved fault tolerance and increased enterprise interoperability through the ability to leverage existing directory infrastructures
- Support of multiple multi-factor devices
- Centralized management
- Minimal impact on workstations with Windows and Novell-workstation compatibility, a small client footprint, integration with Novell ZENworks and no modifications to the GINA
Still, the overriding message of the BrainShare session was a simple one. With one set of authentication credentials and fast user switching, Novell Secure Login can address the core IT challenges in your shared-workstation environment.