Thursday, October 3, 2013

Defending once authenticated: Time outs

After users are authenticated, what measures can be employed in order to maintain security when users are away from their computers?

Although it clashes with the desired convenience, or “user friendliness”, of the system and common and reliable security measure is to limited the authenticated session duration through a time out. Time outs assist in maintaining security because they cause authentication artifacts to stop assisting intruders in the event of a compromise. The replay attack on Kerberos discussed in our module demonstrates the value of a time out, because the “Kerberos authenticators include time stamps so that authenticators are valid only for a short period of time.” Attempting to resend an authenticator after that time window has expired will fail to provide the excepted authenticated action. (UMUC, 2011)

The time out protection philosophy is regularly seen in the protection of the authenticated user on desktop operating systems. This the protection being implemented when the a password protected screen saver or other lock-out style screen locks are used. Groves writes that “In the event that you are dragged away from your machine having the screen saver activate after a set period of time will help to prevent unauthorized access to the console.” (2003, pp. 11) Once configured, this protection assures that the authenticated user does not have to actively protect their session, merely not interacting with the computer for the duration of the time out will lock it down. They do have to re-authenticate afterwards, but an attacker who has accessed the system will be unable to act as them.

Groves, Z. (2003). A Best Practices Guide To Secure a Windows XP Professional Installation. SANS Penetration Testing Retrieved from:

UMUC. (2011) Authentication , CSEC-630 – Module 4. Retrieved from:

No comments:

Post a Comment