Skip to main content
sindbad
sindbad
New Member
December 15, 2018
Question

Fortitoken two factor remote desktop services

  • December 15, 2018
  • 2 replies
  • 7431 views
I have 100 software tokens ans 10 hard tokens. I have it configured on the firewall. That when a user goes to rds.mydomain.com. He needs to login with username and password to login through the fortigate firewall. He will get a token. He can login. That works fine. After that he does see the web apps on the rds environment. Now the part that I need, because it’s not working like I want it. When you login to rds and you click on an app. It gets downloaded. If you copy that app and send it to a friend or someone grabs it from your pc. He can doubleclick the app and only needs your login name and password. There is NO two factor authentication. That is a big problem. How to fix that? Regards

    2 replies

    sindbad
    sindbadAuthor
    New Member
    December 15, 2018
    See alexw comment. Same issue. https://forum.fortinet.co..tm.aspx?m=130054&p=
    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    December 17, 2018

    Hi sindbad,

     

    if I got it correctly, then for access to rds.mydomain.com user needs just username + password. Then he can get token and apps.

     

    How about few things :

    - first,if someone is about to steal copy of your app, he will manage to do so, most probably. But you can make it a bit harder.

    - full-disk encryption with additional decryption keys .. so stolen NTB is useless without encryption keys

    - distribute tokens in advance so even access to rds is token protected

    - access to rds from outside only via VPN, which again needs token to auth

    - so if app handless some sensitive data from rds (whatever it is for you), then it needs to go through tunnel, which is already token protected

    - if authentication to app only needs user+pass, then you can consider additional token, or make app to auth against centralized auth authority like FortiAuthenticator or that FortiGate, or anything talking RADIUS for example

    - if app handles sensitive data, then encrypt them locally

    - use crypto cards to auth so keys, for example even those for HDD full-encrypt are on card, so it's hard to get to private keys as most of the cards has self destruct when tempered and cannot export private key out of card

     

    .. there is a lot of ways how to make your environment at least a bit more secure.

    Think as attacker and you will find a way in, then patch that hole and start to think again and again..

    Terms & ConditionsAccessibility statement