Smart card pass thru support for Windows Login and/or Admin Functions

Avatar
  • updated
  • Archived

From CW-7588576:

Partner is looking for a means to be able to use smart cards through a session to support smart card requirements for admin functions on remote systems. Notes that RDP supports a pass through device so local smart card is presented through the RDP session to the remote system for Authentication.

Avatar
0
Tykisson

NIST 800-171 is now rolling into CMMC and this will be a must. If this option is not added then it will prevent me from using it and a lot of MSPs out there.

Avatar
0
B Martin
Quote from Tykisson

NIST 800-171 is now rolling into CMMC and this will be a must. If this option is not added then it will prevent me from using it and a lot of MSPs out there.

Citation? All we needed was proper 2FA under 800-171, not necessarily smart cards. We have this working via Duo Push Notification (or basic TOTP) with CWC login now, the desktops protected by Duo as well.

Avatar
1
Tykisson
Quote from B Martin

Citation? All we needed was proper 2FA under 800-171, not necessarily smart cards. We have this working via Duo Push Notification (or basic TOTP) with CWC login now, the desktops protected by Duo as well.

You are correct, proper 2FA is the requirement.

For a small business like us, the ease of implementing a PIV with Yubikey is very seamless and low cost. The yubikey is a 1 time cost and smart card authentication is built into the windows domain enviroment. Duo is nice, but brings in added complexity and subscription costs. If connectwise would pass the usb yubikey it would be an amazing feature.

Avatar
0
B Martin
Quote from Tykisson

You are correct, proper 2FA is the requirement.

For a small business like us, the ease of implementing a PIV with Yubikey is very seamless and low cost. The yubikey is a 1 time cost and smart card authentication is built into the windows domain enviroment. Duo is nice, but brings in added complexity and subscription costs. If connectwise would pass the usb yubikey it would be an amazing feature.

You can use TOTP with CWC so not seeing a problem here still with the lack of smart card. I wouldn't be surprised if the concept of smart cards altogether ends up fading away.


Duo is CHEAP and the value it brings from a security standpoint is impossible to put a price tag on in my opinion. It's use goes far beyond securing CWC; it secures the windows desktop, and all kinds of third party systems.

Regardless, and with all due respect, if you need to comply with 800-171 and are worried about the cost of Duo, your security infrastructure as a whole is likely not going to be good enough. The audits are orders of magnitude more spendy, and your SIEM tool will be $$$$ too.

Avatar
0
B Martin
Quote from Tykisson

You are correct, proper 2FA is the requirement.

For a small business like us, the ease of implementing a PIV with Yubikey is very seamless and low cost. The yubikey is a 1 time cost and smart card authentication is built into the windows domain enviroment. Duo is nice, but brings in added complexity and subscription costs. If connectwise would pass the usb yubikey it would be an amazing feature.

Besides, you should be able to use Yubikey with CWC RIGHT NOW. Configure CWC to use TOTP, then have your Yubikey generate said TOTP. Press the gold button with the cursor in the right box during login and presto.

Avatar
0
Tykisson
Quote from B Martin

Besides, you should be able to use Yubikey with CWC RIGHT NOW. Configure CWC to use TOTP, then have your Yubikey generate said TOTP. Press the gold button with the cursor in the right box during login and presto.

I saw you can use it with the CWC login, but can it pass to the guest machine login?

Avatar
0
B Martin
Quote from Tykisson

I saw you can use it with the CWC login, but can it pass to the guest machine login?

It does not pass through, you simply 2FA twice. One at CWC login, the other at Windows login. Duo protects both.

Avatar
1
Benjamin

Any update on this?

Avatar
0
Sean White Team Member
  • Archived
 Commenting is disabled

Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar