Secure, Federated, Clientless Windows Remote Access for Research and Administration -- Three Ways
Time 10/07/15 08:25AM-08:50AM
Room Room 26-A
Partially under the rubric of a federal CC:IIE grant awarded to Duke in 2014, Duke began investigating ways to provide federated access to computing and data resources within its protected research data network. Early development centered on providing federated, browser-based remote access to Linux workstation consoles, but researchers soon expressed needs for federated access to Windows systems in the PRDN as well.
Duke has developed an approach to providing federated access to virtualized Windows systems as part of the CC:IIE effort that involves mapping privileges onto ephemeral identities in an Active Directory domain based on federated logins by actual users and delivering remote console capabilities through a Linux-based VNC bridge.
More recent security events within higher ed, particularly those involving pass-the-hash-based incursions at major institutions by APTs and nation-state actors have led to our beginning to pilot a novel re-use of the same technology to provide Windows sysadmins with remote access mechanisms that are, if not entirely secure against these sorts of attacks, far less susceptible to them.
The talk will cover the tools and strategies developed for the CC:IIE effort, and the application of those tools in three use cases: Remote researchers sharing access to resources in Duke's PRDN, local users employing persistent virtualized desktops for development and teaching, and system administrators reducing the risk of cached hashes and pass-the-hash attacks while managing Windows systems.
Speaker Rob Carter Duke University
Primary track Trust and Identity