Saturday, July 14, 2007

How to use Smart Cards with OWA - But Why?

There is an interesting article on TechNet that outlines how you configure ISA 2006 and Exchange 2003 to support smart card authentication for Outlook Web Access

Technically it is a well written article and it explains the concepts behind the authentication process well.  The article also explains the benefits of using two factor authentication.

Rather than relying on a single method—a password—to enable access, two-factor authentication enforces the use of additional authentication methods, including a username/password combination, a physical device such as a smart card, or a biometric identifier such as a fingerprint.

I absolutely agree with that - but while the article does a great job of how you configure this scenario, it does not delve into why you would do this, what the other alternatives are or what the pros and cons are.

You see OWA is only one option available to provide remote access to Exchange information. Other options include Exchange ActiveSync, Exchange Anywhere (nee RPC over HTTPS) and application virtualisation technologies such as Terminal Services or Citrix Secure Gateway with Citrix Presentation Server.

Similarly smart cards are only one option to provide multi-factor authentication.  Other options include one time passwords (OTP), Time based tokens such as RSA SecurID, biometrics, or computer certificates.

In addition to this authentication of the user and/or device is only part of the story.  That protects access to the data, but data also needs to be protected when it is in transit and when it is at rest.  For this post I'll assume that you are going to encrypt any data transmitted over public networks (right?!?!) so I'll ignore protecting data in transit for this post.  However protecting data at rest is an important consideration for remote Exchange access.  If your users are using OWA, for instance, from machines that you do not know or trust then it is possible that they are saving attachments to that machine and that they are not protected.

The technologies used to deliver, authenticate and secure remote Exchange access should be chosen based on the security policy of the organisation.  So what would the corporate policy need to look in order to want to use SmartCards to secure OWA?  What about other combinations - when should they be used?

Putting Exchange ActiveSync aside for a minute - that is another post I think - the remaining three strategies I have covered each have different characteristics.

  • OWA - Least configuration on the client.  Requires an active connection to read or compose email, there is no offline capability.  May want to prohibit downloads of attachments to prevent data being left at rest on unprotected machines.
  • RPC/HTTPS - This option requires Outlook to be installed on the client.  If used in conjunction with cached Exchange mode it could leave a significant amount of data at rest on the endpoint machine.  Because data can be synchronised to the local machine, email can be read and composed while offline.
  • Virtualisation - Application virtualisation technologies such a Citrix Presentation server virtualise the applicaiton by running the application - e.g. Outlook - on a server and presenting the screen view to the user.  Mouse movements and keystrokes are sent back up the wire to the server.  The application being virtualised does not run on the client.  This requires a client on the endpoint machine, but there are ActiveX and Java clients available, so many public machines can be used.  Easily configurable policies can prevent data being left at rest on the end point.  Requires an active connection to read or compose email.

The table below provides a high level overview of some of the outcomes of the options.  The intent is to help people pick the right combination of technologies to meet the requirements of their security policy.

  OWA RPC/HTTPS Virtualisation
Username & Password (single factor) Provides access from any Internet connected machine, which is very convenient.  Could be susceptible to key logging if accessed from an untrusted machine. Also provides access from any Internet connected machine if the user has enough knowledge to configure the Outlook profile.   Also susceptible to key logging. Provides access from most Internet connected machine - the client machine needs to support at least one type of Citrix client.  Susceptable to key logging.  .
Smart Cards (two factor) Needs to be accessed from an endpoint that has a smart card reader.  This implies that you know the endpoint.  Protected from key logging as the smart card + PIN constitute two factors of authentication (something you have and something you know).  More secure, but not as convenient as above. Needs to be accessed from an endpoint that has a smart card reader and has the Outlook client.  This could still be a client that you don't trust if the user had the knowledge required to configure Outlook.  Protected from key logging and provides online and offline access. Again - requires a smart card reader on the client in addition to either having the Citrix client or support for one of the web clients.  Protected from key logging. 
Computer Certificates (two factor) Requires that you not only know the client, but that you have configured a client certificate.  This provides two factors in that you have to have something - a computer with a certificate - and you have to know something - the user credentials. Requires a certificate on the client.  This prevents the users from configuring any client to use RPC over HTTPS.  This ensures that data at rest on the client will be protected by corporate policies applied to the client.  For example - if you have Vista and are using bit locker you can be assured the data will be encrypted. Allows access to Exchange data from a Citrix client you know and trust.  Ensures that data cannot even be viewed unless an authenticated person using a known device connects.  No data at rest on the client.
SecurID Extremely convenient.  Can access Outlook from any client, but credentials are protected from key logging by using a pin + token code in place of the password. Not as seamless as computer certificates and does not prevent the use of unknown hardware.  But it does protect from key logging and provide strong authentication. Strong authentication and fairly convenient.  A good choice for user who will have a business need to use untrusted machines.

So when would configuring OWA to use smart card authentication be the appropriate choice?  One scenario that seems likely to me is if you want to enable specific users to access OWA from home, but for what ever reason you don't want to provide them with a mobile PC.  Another way to meet this need would be to use Citrix.  That provides additional protection in that you can prevent data being left on the machine, but carries additional licensing costs.

No comments: