+26
Archived
Smart card pass thru support for Windows Login and/or Admin Functions
From CW-7588576:
Partner is looking for a means to be able to use smart cards through a session to support smart card requirements for admin functions on remote systems. Notes that RDP supports a pass through device so local smart card is presented through the RDP session to the remote system for Authentication.
Commenting disabled
Customer support service by UserEcho
We are using SPYRUS Rosetta smart cards and Gemalto smart cards and need to be able to authenticate to AD accounts on a WIndows server that requires a certificate for user authenticaion.
With the NIST 800-171 requirements being fully enforced, 2-factor for privileged accounts is a must. This means that I need to pass my usb based Windows SmartCard (Yubikey) login to the remote machine. I agree that RDP does have this functionality and I use it already from my local machine into local remote servers.
We need this function as well for NIST 800-171 requirements.
We ended up using a combination of Yubikey and AuthLite - works great for anything you need to authenticate. AuthLite integrates with AD and the YubiKey code ends up being the "username" and you enter your password. Since it's all just keyboard input, works fine locally and remote. No need to integrate any authentication protocols between the systems, all that magic happens on the backend.
I think we're going to just use Duo. It solves all the issues and doesn't have to use a smartcard. I wish SC supported Smartcard Passthrough though, it'd be nice since then we can do this without recurring costs like Duo or other solutions need.
Any update on adding this to a future release? I really need this feature so I can get away from RDP.
NIST 800-171 is now rolling into CMMC and this will be a must. If this option is not added then it will prevent me from using it and a lot of MSPs out there.
Citation? All we needed was proper 2FA under 800-171, not necessarily smart cards. We have this working via Duo Push Notification (or basic TOTP) with CWC login now, the desktops protected by Duo as well.
You are correct, proper 2FA is the requirement.
For a small business like us, the ease of implementing a PIV with Yubikey is very seamless and low cost. The yubikey is a 1 time cost and smart card authentication is built into the windows domain enviroment. Duo is nice, but brings in added complexity and subscription costs. If connectwise would pass the usb yubikey it would be an amazing feature.
You can use TOTP with CWC so not seeing a problem here still with the lack of smart card. I wouldn't be surprised if the concept of smart cards altogether ends up fading away.
Duo is CHEAP and the value it brings from a security standpoint is impossible to put a price tag on in my opinion. It's use goes far beyond securing CWC; it secures the windows desktop, and all kinds of third party systems.
Regardless, and with all due respect, if you need to comply with 800-171 and are worried about the cost of Duo, your security infrastructure as a whole is likely not going to be good enough. The audits are orders of magnitude more spendy, and your SIEM tool will be $$$$ too.
Besides, you should be able to use Yubikey with CWC RIGHT NOW. Configure CWC to use TOTP, then have your Yubikey generate said TOTP. Press the gold button with the cursor in the right box during login and presto.
I saw you can use it with the CWC login, but can it pass to the guest machine login?
It does not pass through, you simply 2FA twice. One at CWC login, the other at Windows login. Duo protects both.
Any update on this?