2015 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Secure, Federated, Clientless Windows Remote Access for Research and Administration -- Three Ways

Time 10/07/15 08:25AM-08:50AM

Room Room 26-A

Session Abstract

Partially under the rubric of a federal CC:IIE grant awarded to Duke in 2014, Duke began investigating ways to provide federated access to computing and data resources within its protected research data network. Early development centered on providing federated, browser-based remote access to Linux workstation consoles, but researchers soon expressed needs for federated access to Windows systems in the PRDN as well.
Duke has developed an approach to providing federated access to virtualized Windows systems as part of the CC:IIE effort that involves mapping privileges onto ephemeral identities in an Active Directory domain based on federated logins by actual users and delivering remote console capabilities through a Linux-based VNC bridge.
More recent security events within higher ed, particularly those involving pass-the-hash-based incursions at major institutions by APTs and nation-state actors have led to our beginning to pilot a novel re-use of the same technology to provide Windows sysadmins with remote access mechanisms that are, if not entirely secure against these sorts of attacks, far less susceptible to them.
The talk will cover the tools and strategies developed for the CC:IIE effort, and the application of those tools in three use cases: Remote researchers sharing access to resources in Duke's PRDN, local users employing persistent virtualized desktops for development and teaching, and system administrators reducing the risk of cached hashes and pass-the-hash attacks while managing Windows systems.


Speaker Rob Carter Duke University

Presentation Media

Primary track Trust and Identity

Secondary tracks Research CAMP 201

platinum Sponsors

gold Sponsors

silver Sponsors

supporter Sponsors