Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
We know who you are
Different approaches to network authentication give you plenty of ways to prove yourself, but The National Registry, Inc.'s SAF/nt takes the prize for seamless integration with NT.
By John Duksta
When it comes to passwords, users are lazy. Most will use a word that can be found in a dictionary or a spouse's name, either of which can be guessed or hacked with minimal effort. You can force people to use stronger passwords, but often they'll just write them down on Post-it Notes and stick them to their monitors. And even obscure reusable passwords are subject to eavesdropping and shoulder surfing.For strong security, you need strong authentication. This Buyer's Guide looks at two kinds of strong authentication methods: biometrics and token-based hardware. Biometric products employ the personal characteristic of a user - such as a fingerprint, face or voice - to determine that the person is who he says he is. Token-based products use a physical token (usually a credit card-size device) to verify identity, in much the same way that automated teller machines require a bank card and a personal identification number. There are a number of strong authentication products on the market, each filling a certain niche. To level the playing field for this review, we tested products that bring strong authentication to the Windows NT domain logon. These products replace Windows NT Graphical Identification and Authentication (GINA), the component of the network client that handles user logons. All the products we reviewed encrypt communications between the client and the server, so none would be subject to sniffer attacks. For integration with Windows NT, we found The National Registry Inc.'s (NRI) Secure Authentication Facility for NT (SAF/nt) to be the best. The company has put a lot of effort into integrating its tools with the standard NT domain utilities. Those features, in combination with support for multiple biometric authentication methods, earn SAF/nt our World Class Award.
SAF/nt: Don't worry, be HA-APIWith NRI's SAF/nt you're not limited to a single type of biometric authentication. The company has implemented the Human Authentication API (HA-API) in its products to allow you to use any qualified Biometric Service Provider (BSP) in conjunction with SAF/nt. NRI has qualified fingerprint, voice and face BSPs for use with SAF/nt. The product's most impressive feature is its level of integration with Windows NT. Of all the products reviewed, it is by far the best in this category. The SAF/nt administration utilities are seamlessly integrated into the standard NT user and server managers. This eliminates the need for the system administrator to enter duplicate data. When you add a user to a domain, you merely have to click the "Biometric" button to configure the user's biometric settings and enroll them. The program also adds a check box in the server settings (under NT's Server Manager) to set the workstation or server as biometrically enabled. Client use is equally intuitive. The NRI logon GINA prompts for user name and domain. If users are configured for biometric authentication, they are prompted to say the two numeric doublets to authenticate themselves; otherwise they are prompted to enter their regular NT domain passwords. If a workstation is not configured for biometrics, biometric users can enter their user names, domains and passwords as usual. For the purpose of this review, we tested the SpeakerKey voice verification BSP from ITT Industries. The technology used in SpeakerKey was originally developed by ITT Industries for the National Security Agency for computer access control applications. SpeakerKey uses speaker-independent digit recognition in the form of pseudo-random number doublets (for example, "64-79," spoken as "sixty-four, seventy-nine") for authentication. During the enrollment process, users are prompted to say twelve doublets. During authentication, users are prompted to say two. One downside to the SpeakerKey BSP is ITT Technology's requirement of a dongle on each machine, including the primary domain controller (PDC), running SpeakerKey. However, NRI is working with ITT to enable a software key instead. This introduced a little problem in the testing because we were only shipped one dongle and NRI doesn't recommend running the client GINA on the PDC. We were able to test with a local (rather than domain) logon on the workstation, and authentication time was always under 5 seconds. You should see similar results with a domain logon as well. The SAF/nt server installation went smoothly. SAF/nt requires SQL Server to handle the database of biometric information. The only thing that we found confusing was that the manual instructs you to install the BSPs you are planning to use before installing the SAF/nt server package. At first we were a bit worried about getting locked out of the PDC, but NRI's support folks assured us that wouldn't happen. Installing the BSPs in advance keeps the SAF/nt server installer from complaining that it didn't find any. If you plan to use multiple BSPs, you should install them all before proceeding to install the server package. The client installation also has this prerequisite, and also came off without a hitch. However, if you should ever need to remove a client, SAF/nt and all the other products we reviewed uninstall nicely and return the machine to the standard NT domain logon GINA. For a primarily NT shop that wants to go with biometric authentication, SAF/nt provides a level of integration with NT far above any other product reviewed here. If most of the machines in your company have sound cards, as do most sold in the past couple of years, SAF/nt's voice authentication can be an inexpensive biometric option.
Mytec's Touchstone: fingerprint recognition not just for the FBIMytec Technologies, Inc.'s Biometric Logon for Windows NT is a software add-on that replaces the standard NT logon with biometric verification using the company's Touchstone fingerprint reader. Touchstone uses Mytec's BioScrypt technology, which takes the image of a fingerprint and cryptographically combines it with a key to create a unique identifier, called a BioScrypt, from which the fingerprint image cannot be reverse-engineered. The product includes fingerprint-reader hardware and software and Mytec's Biometric Logon for Windows NT application. Enrolling a user through the BioScrypt Manager software on the client is straightforward. A user must enter a user name, password and domain. He is then prompted to leave four fingerprint images in the Touchstone unit. You can make users enroll while they are logged on under a domain administrator's account for an additional measure of security. Mytec uses a sliding technique to simplify image capture. Instead of having a user try to properly center his fingers every time, he slides a finger across a glass screen and the Touchstone unit captures the image when it is properly centered. It takes about a dozen practice runs to get the slide technique down pat. Day-to-day use of Touchstone is easy. To log on to your workstation, enter your username and press Enter. You are then prompted to slide your finger across the Touchstone reader. The Mytec GINA loads your BioScrypt into the Touchstone. All the comparison work is done in the processor of the Touchstone unit in about half a second, making for a superfast logon process. From a security standpoint, Touchstone is tight. You can configure the GINA to only allow biometric logons if you are protecting a certain workstation. You also can configure the GINA to require biometric logons for enrolled users and allow password logons for unenrolled users. The product writes to the standard NT security logs, so if you've already set up an audit process nothing has to change. Installation couldn't be easier; it takes only three diskettes. At the PDC we selected the BioScrypt server option, which creates a shared directory for BioScrypts. By default, the BioScrypts share is set to be world-readable and world-writable. To tighten security, we recommend you give write access to domain administrators only. You need to leave it world-readable so the Biometric Logon client can access the shared directory before the user is logged on. Oddly, Mytec currently does not recommend installing the Biometric Logon for NT on your PDC because the Mytec GINA has a trouble with multiple domains. Mytec expects to have this problem fixed in the next release of the Biometric Logon for Windows NT software. The workstation install was as easy as it was on the server side. The installation procedure installs a service that communicates with the Touchstone device and the Mytec GINA. The only real drawback with Touchstone is the high price. At $750 per workstation, the expense of this high-quality biometric product may prove prohibitive.
Miros TrueFace: Observe cautionIf capturing fingerprints seems a little too much like law enforcement, you can also look authentication in the face. Face recognition products use a digital camera to validate the user in front of the screen. However, the face recognition product we tested, TrueFace Network 2.0 from Miros, Inc., could be a hassle to deploy in a large corporate environment. TrueFace has a kludgy user interface and requires a lot of administrative effort to maintain. Security-wise, our main objection to TrueFace is its use of thresholds in the recognition process. For each user you can set a threshold ranging from zero to 10 to specify how close a match you want the product's neural network face recognition engine to make. You also set a default threshold for all new users. With the added administrative process of adding images to the database to compensate for different lighting conditions and false negatives, we can easily imagine administrators tweaking the threshold downward over time to compensate for the extra work. User enrollment is simple, though it must be performed at a workstation logged on as a domain administrator or the enrollment application shuts down access to the video capture device. The application captures at least a couple of pictures of users by having them center their faces in the capture window and click in the image window. Miros recommends keeping about a dozen images of each user on the server, each with different lighting. The more images available to the neural network engine that performs the face recognition, the less chance it will toss out false negatives, which means it failed to recognize an authorized user. From an end-user perspective, TrueFace is reasonably easy to use, but not very intuitive. To log on to a workstation, users need to enter their user names and domain passwords, then press Enter. A video capture window pops up, first in the top left corner of the screen and then in the top right corner. There's no "OK" or "Capture Image" button on the window as you might expect; users must figure out that they need to click in the capture window to tell the application to take their pictures. Also, there are buttons on the window to adjust the color settings, but they seem to work only sporadically. If a user fails to authenticate on the first try, a message box pops up to tell the user he has three more attempts. If the user fails all attempts, his account is locked out until unlocked by an administrator. Authentication time can be an issue, if you don't have a really beefy server on the back end. All the image processing and comparison happens at the TrueFace server. Miros recommends a 200-MHz Pentium Pro with 96M bytes of memory as a minimum. With the recommended server configuration you should see authentication time between 5 and 15 seconds - not bad, but not as fast as Mytec's Biometric Logon for Windows NT. On our underpowered 133-MHz Pentium, TrueFace authentication took as long as 60 seconds. The TrueFace Server Administrator program requires that you authenticate your own face to get into the package. (Don't worry, there's a default administrative user you can use for initial setup.) Once authenticated you can add, delete and edit user records, examine the authentication logs including the images captured, and add images to a user's profile. Fortunately in Version 2.0, TrueFace can pull user data out of the NT Security Accounts Manager, saving you from having to re-enter data you already entered when you added users to the NT domain. You'll still be adding a lot of images to user profiles while you deploy the product. Until you get the right mix of images for the neural net, you'll probably have many false negatives to deal with, and many frustrated users. The biggest factor contributing to false negatives from TrueFace is lighting. It's best to have a few images from each possible lighting condition. For an office under constant artificial lighting, this shouldn't be a problem. But for an office with a window, this takes some work to get the range of images just right. We had the opportunity to test the effect of a change in hair color has on TrueFace. One of our testers lightened his hair from medium brown to light blond during the testing and TrueFace handled it just fine, showing that the product does focus solely on the facial features. TrueFace's server installation went fairly smoothly. It requires Microsoft SQL Server 6.5 be installed somewhere on your network (not necessarily on the PDC). While the initial server software install was fairly uneventful, we stumbled over the SQL Server Open Database Connectivity driver; it was unable to change the default database. However, Miros has clearly noted the workaround the installation instructions. After you get the TrueFace server installed, you have to run a couple of SQL queries to set up its database in SQL Server.
ACE/Server with SecurID: An ACE in the holeSecurID by Security Dynamics Technologies is a token-based authentication product; its server-side software component is ACE/Server. In order to log on to a system protected by SecurID, you must enter a passcode from a credit card-size token in place of a normal password. The token has an LCD display that displays a new passcode every 60 seconds, whether or not the user needs it. SecurID was originally designed to provide two-factor authentication for remote network access. Security Dynamics has since expanded the SecurID product line to provide two-factor authentication on Windows NT, Novell NetWare, Netscape server products, Microsoft Internet Information Server and all major Unix platforms. We like SecurID for a large multiplatform environment, especially considering that it supports Remote Authentication Dial-In User Service for authenticating dial-up users. Security Dynamics provides a facility for importing user data, so if you can export it out of your NT domain you can save yourself the extra work. If you can't, you'll end up entering user data twice. The ACE/Agent client is easy to use. If users are members of a group that requires authentication, they are prompted to enter SecurID passcodes when logging on to domain workstations. Security Dynamics has done a decent job of porting their traditionally Unix-based ACE/Server to Windows NT, but the administration graphical user interface (GUI) contains a lot of fields that are inappropriate in a purely Windows shop. There is a field for a default shell, for example, which makes sense in a Unix environment, but is meaningless to Windows. However, if you are managing a multiplatform environment, keeping all the information in a single server database could save you some hassle and secure all your computing and network resources. The server database runs on a Progress Software RDBMS32 run-time engine, and the administration GUI is a Progress 4GL application. You definitely want to read the manual carefully before you start installing the product, including the booklet-size deployment guide. Two things to note: You need to install the server software onto an NT File System partition, and you should sync your server's clock to a Stratum 1 or 2 time server before installation. Stratum 1 time servers get their times directly from atomic clocks; Stratum 2 time servers get their time from Stratum 1 time servers. SecurID cards and their ACE/Servers must be time synced so their tokens agree. The server installation process creates four NT groups specifically for SecurID, two for remote logon (via Microsoft's Remote Access) and two for console logon. If you assign a user to one of these groups, the ACE/Agent will prompt for a passcode during logon. Unfortunately, you cannot designate existing groups that must be authenticated instead of one of the four SecurID groups. Client installation is simple. You install the client and copy a configuration file from your ACE/Server to the workstation.
ConclusionsEach product has its strengths and weaknesses, but for overall integration with Windows NT, NRI's SAF/nt wins hands down. NRI has done an excellent job of bringing strong authentication directly into the standard NT domain utilities. SAF/nt also has the advantage of being able to provide multiple types of biometric logon, something none of the other products provides.
Scorecard and NetResults
Key findings and vendor contact info.
Issues and trends
Interactive Buyer's Guide
Duksta is a systems engineer at GTE Internetworking in Waltham, Mass. He can be reached at firstname.lastname@example.org.
ICANN board approves reform agenda
House committee subpoenas WorldCom executives
KPMG Consulting to hire Andersen IT staff, not unit
Xerox accounting troubles may total $6 billion
Analysis: Ciena/ONI deal done
All of today's news
Copyright, 1995-2001 Network World, Inc. All rights reserved.