According to a 1996 Network Applications Consortium (NAC) study, users in large enterprises spend an average of 44 hours per year performing logon tasks to access a set of four applications. The same study revealed that 70 percent of calls to companies' Help desks were password-reset requests from users who had forgotten a password.
Single sign-on (SSO) is an approach that attempts to reduce the time users spend performing logon tasks and the number of passwords users must remember. The Open Group, an international vendor and technology-neutral consortium dedicated to improving business efficiency, defines SSO as the "mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where that user has access permission, without the need to enter multiple passwords" (http://www.opengroup.org/security/l2-sso.htm).
SSO solutions come in two flavors: solutions that deal with one set of user credentials and solutions that deal with multiple sets of user credentials. A good example of the first type of solution is a Kerberos authentication protocol-based SSO setup. A good example of the second type of solution is Credential Manager. Credential Manager is a new SSO solution that Microsoft offers in Windows Server 2003 and Windows XP. It's based on a secure client-side credential-caching mechanism. The Windows 2000 (and earlier) requirement that users must reenter the same credentials whenever they access resources on the same Internet or intranet server can be frustrating for users, especially when they have more than one set of credentials. Administrators often must cope with the same frustration when they have to switch to alternative credentials to perform administrative tasks. Credential Manager solves these problems.
Before Windows 2003 and XP, Microsoft provided application-specific solutions, such as Microsoft Internet Explorer's (IE's) credential-caching mechanism. Before diving into the nuts and bolts of Credential Manager, let's first look at the advantages and disadvantages of using SSO.
SSO Pros and Cons
SSO solutions that use one set of credentials (such as Kerberos) can make users', administrators', and Help desk operators' jobs easier. With this type of SSO solution, users need to remember only one set of credentials, which can prevent unsafe practices. For example, when users must keep track of many passwords, they sometimes develop bad habits that undermine security, such as writing their passwords on Post-it Notes and sticking the notes to the back of their keyboards. In addition, having only one set of credentials can save users time and effort because users need to change only one set of credentials at regular intervals. Having only one set of credentials can also save administrators and Help desk operators time and effort because they need to keep track of changes to only one entry for every user in the credential database.
SSO solutions that use multiple sets of credentials (such as Credential Manager) still provide the advantage that the user needs to remember only one password to log on. However, password maintenance is more complex in this type of SSO solution. Users must change the passwords of the different credential sets, but this type of SSO solution partially resolves the "key to the kingdom" problem.
An often-heard argument against using SSO solutions is the "key to the kingdom" problem: If intruders can obtain a user's SSO credentials, they have access to all the resources that those credentials secure. Although this argument has merit, you can take several actions to reduce this risk:
- You can implement an SSO solution that uses multiple credentials, such as Credential Manager. Although a successful logon unlocks the access to all the other credentials stored in Credential Manager's credential cache, users can't reset the other credentials if they don't know the original password. In addition, administrators can implement different credential policies for each set of credentials.
- You can use SSO credentials that are biometric-based (e.g., fingerprints) or possession-based (e.g., cryptographic tokens, smart cards) rather than knowledge-based (e.g., passwords). The use of multifactor authentication solutions such as smart cards or the combination of a smart card and biometric authentication for SSO can further reduce this risk.
- A user ID and password.
- A user ID and a certificate or private key—You can store certificate- or private key–based credentials on a hard disk or smart card.
- A set of Microsoft Passport credentials.
- Windows 2003—Open the Control Panel Stored User Names and Passwords applet.
- XP's classic UI—Open the Control Panel User Accounts applet. Click the Advanced tab, then select the Manage Passwords option.
- XP's user-friendly UI—Open the Control Panel User Accounts applet and open the user account properties of the account with which you're currently logged on. In the Related Tasks list, select Manage my network passwords.
Credential Manager 101
Credential Manager consists of three components: the credential store, the key ring component, and the credential collection component.
Credential store. Credential Manager keeps users' credentials in a client-side credential store. The user's primary credentials (also called default credentials) unlock the store. When users log on locally to a machine or domain, they use their primary credentials. A set of primary credentials can take one of three forms:
Windows 2003 and XP use the Data Protection API (DPAPI) to secure access to the credential store's content. The credential store contains credential-target mappings. A target is the resource that the user accesses. To specify the target, you can use a DNS name or NetBIOS name. A target name can contain wildcards. For example, entering *.hp.com as the target name makes the associated credentials available to all targets whose DNS name ends with hp.com.
A target name is independent of the communication protocol that's used to access it. In other words, Credential Manager can deal with HTTP–, HTTP Secure (HTTPs)–, FTP–, and Server Message Block (SMB)–based resource access. Because the credential store is part of a user's profile, the store supports roaming.
When a user uses RAS to remotely log on to a Windows domain, Credential Manager automatically adds a wildcard target for the user's logon domain (e.g., *.hp.net) and corresponding credentials to the credential store. Credential Manager uses these credentials as the user's primary credentials during the RAS logon session.
Key ring component. Similar to a key ring that holds the keys to your house, office, or car, the Credential Manager key ring holds sets of credentials. The key ring component lets you manage the credential store's credential-target mappings and their properties. You view and modify the mappings and properties through the Stored User Names and Passwords dialog box. The Stored User Names and Passwords dialog box shows a list of all credential sets stored in the key ring. To modify a credential set, you select it and click Properties to bring up the Logon Information Properties dialog box, as Figure 1 shows.
How you access the Stored User Names and Passwords dialog box depends on the OS and the OS's UI:
You can't modify all the credentials from the key ring UI. For example, you can't modify Passport credentials. You must modify Passport credentials from the Passport Web site.
Credential collection component. When Credential Manager detects that it can't use the primary credentials (or the credentials with which the user is currently logged on) to access a target, its credential collection component displays the Connect to dialog box, which Figure 2, page 8, shows. This dialog box prompts the user for alternative credentials. When the user selects the Remember my password check box, Credential Manager adds the credentials to the credential store. Then, the next time the user accesses the same target, Credential Manager automatically uses these credentials without prompting the user.
How Credential Manager Operates
To see how Credential Manager operates, let's consider a user named Bob who's working from his workstation, which is called bobws. Bob wants to access a share resource that's on a server called devserv. As Figure 3, page 8, shows, the following events occur:
- Bob logs on as bobws\bob, which is a local account.
- Through a Credential Manageraware application (e.g., Windows Explorer), Bob uses the Universal Naming Convention (UNC) name \\devserv\share to access the share.
- The application asks the Local Security Authority (LSA) and an authentication package to authenticate to \\devserv.
- The authentication package queries Credential Manager for a set of credentials to use to access \\devserv. Credential Manager doesn't find a specific set of credentials, so it returns Bob's primary credentials (bobws\bob), which are the credentials with which Bob logged on.
- The authentication package tries to use the primary credentials (bobws\bob) to authenticate to the \\devservshare but fails.
- The LSA communicates this failure to the application, which calls on the credential collection component. This component brings up the Connect to dialog box.
- Bob enters appropriate credentials in the Connect to dialog box and selects the Remember my password check box to save the credentials.
- Credential Manager stores the credentials in the credential store.
- The application and authentication package use the new credentials to authenticate to \\devserv\share. This time, the authentication succeeds.
As Figure 3 shows, Credential Manager provides a great deal of automation. However, it doesn't automate all credential-related management tasks. For example, suppose that the Credential Manager on your PC stores the credentials necessary to access a remote share on a file server. If the administrator for that file server changes the password to access the share, the password won't automatically be changed in your PC's Credential Manager, which might lead to an account lockout. When you configure this setting, the change won't take effect until you restart Windows. You can use this setting in both domain and standalone Windows 2003 and XP setups. In a domain environment, you can use a GPO to enforce the setting. In a local setup, you would use Local Security Policy settings to configure it.
Administrators who don't want client-side credential storage can disable Credential Manager with the Network Access: Do not allow storage of credentials or .NET Passports for network authentication Group Policy Object (GPO) setting. You can find this setting in the Windows Settings\Security Settings\Local Policies\Security Options directory.
Windows 2003 includes the Cmdkey tool, which lets you manage the credential store from the command line. You can use Cmdkey to add, delete, and list credentials from the command line.
A Nice Addition
Credential Manager is a nice addition to the Windows OS. Although many people use it, few know how it works. I hope I've not only shed some light on how Credential Manager works but also given you a few tips about how to use it.