tech-man83 Absent Member.
Absent Member.
2739 views

PBA vs Non-PBA

I'm currently working on our FDE policy for some the road warriors and pondering about the use of the PBA. Windows 7 Sp1 64bit/ZCM 11.2/Novell Client 2 Sp2 Ir1

PBA with SSO:
Pro: More Secure, users only have to login once
Con: When offsite SSO doesn't work as elegantly. We run eDir + Novell FS with the Novell Client, so users need to wait for it to time out, then click 'Novell Login' instead of their username and then select 'Computer Only'. Very unintuitive.

PBA:
Pro: As secure as above
Con: Users need to login twice

Non-PBA:
Pro: Completely Seamless
Con: Potentionally less secure.

Is there anything I'm missing? At this stage using the PBA looks to be a bit of a showstopper. I wonder if there are any plans to make the 'Computer Only' part of the novell client a bit more seamless, it is really the only pain point here.

Leon
0 Likes
6 Replies
bbeachem Absent Member.
Absent Member.

Re: PBA vs Non-PBA

That is a good summary. For many of our customers to be in compliance with various regulatory or other requirements, having the disk encrypted and NO PBA suffices. Obviously at this point, you're relying on the strength of the Windows password (or eDIR + Windows in your case). However, there are "best practices" and security levels for this that are more than adequate. So it is a VERY valid option that is secure.
If your security requirements also mandate authentication prior to decryption, then you have to use a PBA as you'v outlined.

Can you tell me what you mean by eDIR + Novell FS? What is the acronym FS?

I would like to have a SR open on the SSO issue you're experiencing as that workflow should work. If not out of the box, then it's a bug we need to fix. There are some outstanding issues depending on the version of FDE you're using as well, so upgrading to 11.2.1 is recommended for FDE for your case of SSO. However, there is a specific upgrade process you'll need to go through that is listed in a TID for FDE.
0 Likes
tech-man83 Absent Member.
Absent Member.

Re: PBA vs Non-PBA

bbeachem;2220033 wrote:
That is a good summary. For many of our customers to be in compliance with various regulatory or other requirements, having the disk encrypted and NO PBA suffices. Obviously at this point, you're relying on the strength of the Windows password (or eDIR + Windows in your case). However, there are "best practices" and security levels for this that are more than adequate. So it is a VERY valid option that is secure.
If your security requirements also mandate authentication prior to decryption, then you have to use a PBA as you'v outlined.


At this stage we aren't going down the smart card path, so will be relying on the login password anyway. There are policies regarding password strength, so going down the non PBA route is how we'll go to begin with. The main risk we're mitigating is the stolen laptop scenario. Which this will cover off nicely. If we get PBA working in a seamless manner, updating the policy is really easy. I must say however, the whole FDE process is really slick and simple. Especially considering we had all the other infrastructure in place already.

bbeachem;2220033 wrote:
Can you tell me what you mean by eDIR + Novell FS? What is the acronym FS?


Sorry, Novell eDirectory + Novell File Services. None of the end user machines connect to a windows domain. The only pain point in regards to the Novell client is how it works offsite, which these days is a much more common scenario than the building full of desktops. You have to choose Computer Only if offsite, or Novell login when onsite. This is still better than the failure of domain accounts on local workstations that I have witnessed before today!

bbeachem;2220033 wrote:
I would like to have a SR open on the SSO issue you're experiencing as that workflow should work. If not out of the box, then it's a bug we need to fix. There are some outstanding issues depending on the version of FDE you're using as well, so upgrading to 11.2.1 is recommended for FDE for your case of SSO. However, there is a specific upgrade process you'll need to go through that is listed in a TID for FDE.


We're currently on 11.2 and had only just finished the client rollout when 11.2.1 came out. Deploying 11.2.1 is on our todo list, but between holidays and a number of other projects in the queue I haven't managed to test things out in Dev yet. I can't seem to find any tids at the moment, however I recall reading them and nothing really stood out.

I'll raise a SR shortly, happy to diagnose/investigate further.
0 Likes
tech-man83 Absent Member.
Absent Member.

Re: PBA vs Non-PBA

SR Raised: # 10793631911

Leon
0 Likes
tech-man83 Absent Member.
Absent Member.

Re: PBA vs Non-PBA

As suspected, this is all working as designed. The PBA can't detect Network/Non-network connectivity, so will just default to however the client is set.

The way to fix this would be for the Novell Client to do this automatically. I should re-assess our client configuration, probably raising a question on the Client section of the forums.
0 Likes
bbeachem Absent Member.
Absent Member.

Re: PBA vs Non-PBA

Thanks for all the additionally info. We can review the SR and work with you through that channel to help make it even more seemless.
0 Likes
shaunpond Absent Member.
Absent Member.

Re: PBA vs Non-PBA

Bbeachem,

ahem "seamless"... we don't want it to "seem less" 😉

--

Shaun Pond


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.