FortiAuthenticator Security bug?

Forum|Forum|8 years ago
December 20, 2017
2 replies
2729 views

Came across something interesting during a security test. If you have Fortiautenticator windows agent on a machine like RDP, you can hit the back button, then other user and log in without any OTP essentially bypassing the entire OTP system. You can use this workaround during initial login and also when you try to unlock a PC with OTP on it. Is anyone aware of this or found a way to prevent it?

The system tested on was Server 2012 R2

Jeremy_Browne_FTNT

Staff

I'm fairly confident what you're describing here is one of the login tiles managed by the built-in Microsoft Credential Provider. This can be turned off by toggling the checkbox to disable the built-in provider on the "Credential Provider Options" tab in the FortiAuthenticator Agent for Windows configuration GUI and clicking Apply.

We don't disable it by default to avoid people locking themselves out of machines before had a chance to configure the agent, but we do expect this to be done for production rollouts. (A couple messages are printed into the configuration debug log when the option is toggled, should you suspect that this has been set previously but somehow changed).

Regards,

Jeremy

Carl_Windsor_FTNT

Staff

Jeremy @ FTNT has replied but I notice his message has been held for approval for some reason.

This is probably because you have the default credential provider enabled which allows this fallback during the setup and testing process to avoid an incorrect config locking you out of the system. See p.22 of the Windows Agent Admin Guide where this is described and p.17 Live Deployment where it is explained how to disable this.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded