before leaving me start first ... say
"All page NetScaler Gateway landing adjustments are not supported. the lead change NetScaler Gateway landing page that you have an unsupported environment. I do not tolerate malicious attempts to terminate user accounts. the purpose of this article is to provide a current risk and the to highlight measures. "
Now that that's out of the way, let's start with the adjustments 😉
- the current recommended configuration for two factor authentication with NetScaler is available here. http://support.citrix.com/article/CTX12536
- In the configuration described in the article pointed out above, web-based user, the first hit authenticate AD.
- Ideally, we would want to follow the authentication workflow configured the native receiver.
- The native receiver evaluates RADIUS first, and if this is successful, then the LDAP policy is called.
What's the risk on the configuration of leaving exactly how the product configuration Outlined Hat?
If Bob a malicious user knows username Alice, then Bob could enter a bogus password times 3 and lock Alice account. Bob could do this as he wanted, to a degree at their place went to stop Bob so often. If Bob knew many usernames and had some knowledge of scripting tools like JMeter, it could be a large number of user accounts terminate effective as DOS functions. This would be bad, and I, again I do not tolerate such an attack.
What can we do to minimize these risks?
The quick and easy way to do it is to change the web authentication policy so that they match the native Receiver (RADIUS as the primary, LDAP as secondary). However, this user is to force to enter their RADIUS passcode before entering their AD user name. Most companies want users the dynamic pin must enter a 2nd password.
How can we risk and have the dynamic token to the second user password mitigate?
Similar to the fast and easy method, we would RADIUS authentication need to make primary and secondary LDAP authentication. Now we have to adjust some JavaScript on the NetScaler. The /vpn/login.js file is what we have to adapt. This file can be found under "vpn / login.js / NetScaler / ns_gui /". What will we do, the order of values is POST change.
The JavaScript has Below the original values in Bold that we change.
—————————————————————————————————————————————————————————————————————————————-
function ns_showpwd_default () {var = pwc ns_getcookie ( "pwcount"); document.write ( '
—————————————————————————————————————————————————————————————————————————————-
The JavaScript below contains the edited fields so that when a user POSTs their credentials, NetScaler RADIUS can evaluate before AD to contact. The values passwd1 and passwd reversed .
—————————————————————————————————————————————————————————————————————————————-
function ns_showpwd_default () {var = pwc ns_getcookie ( "pwcount '); document.write ('
—————————————————————————————————————————————————————————————————————————————-
With this configuration, ...
We can remove an avenue for attackers would-users who intend to terminate, while still having the token passcode as the second password field. Also below are some relevant links for NetScaler Gateway adjustments.
http://support.citrix.com/article/CTX125364
http://support.citrix.com/article/CTX126206
http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-connect-custom-theme-page-tsk.html
Have you ever worked in an organization that has come under attack by user lockouts? What has been done to mitigate the risk?
let us know in the comments below and feel free to ask questions!
Thanks for reading,
0 Komentar