Share the Love
Secure Shared Workstations and Fast User Switching with Novell SecureLoginSecure Shared Workstations and Fast User Switching with Novell SecureLogin
Written by Ken Baker
Whether you work in health care, education, retail, manufacturing, financial, or government environments, securing shared workstations can be a significant challenge. When users don't close their applications or simply leave the workstation without logging off, it can expose sensitive data to unauthorized users. On top of the security concerns, the fast-paced nature of many of these environments demands quick login and access to the applications within a shared workspace. This article provides answers to those challenges as presented in the Securing Shared Workstations with Novell SecureLogin session at BrainShare 2010 in Salt Lake City.
The ability of Novell SecureLogin and DAD to test for specific conditions and trigger predefined actions gives you the flexibility to change the behavior of a shared workstation according to the unique needs of your environment.
Fast and Secure
Novell SecureLogin is primarily known for allowing users to access network resources using a single set of credentials. Once users log in to a computer on the network, they are automatically authenticated to all of their single sign-on-enabled applications, databases and operating systems. Novell SecureLogin also lets you control access to applications and content based on time of day and URL. Kevin Prior, Novell Technology Specialist, pointed out during the BrainShare session that combining these features with the added Desktop Automation Services (DAS) in Novell SecureLogin creates the perfect formula for addressing your shared workstation challenges.
Previously a stand-alone component and once known as the Application Runner Shell (ARS), Desktop Automation Services (DAS) now ships with Novell SecureLogin 7. DAS runs as a local executable on a client workstation to specifically handle unique use cases associated with shared workstations or kiosks. DAS is able to execute selective and configurable lists of script-based user operations, such as mapping a drive, testing for or establishing an authenticated connection to a directory, and running or shutting down an application. The ability of Novell SecureLogin and DAD to test for specific conditions and trigger predefined actions gives you the flexibility to change the behavior of a shared workstation according to the unique needs of your environment. (See Figure 1.)
Thom Kerby, Senior Architect of Eos Systems, a Novell Platinum Partner participant in the BrainShare presentation, discussed how they were able to use DAS and the fast user switching in Novell SecureLogin to address the shared workstation needs of their customers in the health care industry. “Our customers might have three to five users accessing a single clinical workstation in an environment with patients and customers nearby,” Kerby said. “They needed a login that was between five to ten seconds, and an automatic logoff after a certain amount of inactivity to make sure no one could see or access any information.”
Eos Systems addressed this customer need using a setup similar to what Prior demonstrated during the BrainShare session. Using Novell SecureLogin and DAS they configured their customer’s shared workstations to log into a locked-down generic user account. Then when users presented a proximity card to the workstation’s card reader, Novell SecureLogin would execute a series of actions, including the following:
- Associate the user’s proximity card ID with an eDirectory user and then use that user’s universal password for authentication
- Make the appropriate applications available to the user based on Novell ZENworks policies
- Authenticate the user to the applications using single sign-on and load them
- Shut down the applications and log the user out upon a specified period of inactivity or logout
While all the above happens, the workstation remains logged in to Windows as the generic user, but Novell SecureLogin creates a single sign-on environment that uses identity-based services to differentiate each user’s Windows session based on either user attributes, the current location of the workstation or workstation attributes. As a result, the kiosk or shared workstation user will still have a login screen, but they’re logging into single sign-on instead of having to do a full Windows authentication each time. By doing this, Novell SecureLogin makes sure that when users authenticate to shared workstations it can quickly log them in and set up their prescribed desktop environments, while securing those environments with the appropriate controls and access rights.
Novell SecureLogin makes sure that when users authenticate to shared workstations it can quickly log them in and set up their prescribed desktop environments, while securing those environments with the appropriate controls and access rights.
To create this controlled environment with fast user switching and fast user login, a Novell SecureLogin DAS process runs on the workstation to monitor certain trigger events, test for conditions and then act in a prescribed manner as scripted in an actions.xml file. Some of the more commonly used trigger events and actions include the following:
- Execute a user specific action
- Run an application
- Close an application or all applications
- Map drives
- Check if the user is logged in to the directory
- Log the user out of the directory
- Hide the desktop
- Show the desktop
- Turn on the screen saver and lock the workstation
- Display a message box
- User logs in to eDirectory
- User logs into a LDAP directory
- User presses a predefined hot-key sequence
- Workstation goes into screen-saver mode
- Removal of a smart card is detected
- Workstation goes inactive for a specified period of time
- Removal of a pcProx card is detected