Scorpion Software
   Home  |  Products  |  Sales  |  Service and Support  |  Blog  |  Contact Us  |  Company 

Scorpion Software Corporate Weblog

August 26, 2008

Update available for the Windows Logon Agent

Today we are re-releasing the v1.6 Windows Logon Agent update. It would be easy for us to simply update the file and be done with it, but I think it is only fair that we explain WHY we are re-releasing it.

At Scorpion Software we work hard to streamline the efficiencies when it comes to our development and test processes. Recently we introduced a new automated build and testing process that fully tests a suite of conditions we look for on a regular basis for our upcoming releases. In the midst of these changes, we introduced a problem in how our source control system functions and ended up merging an old unfixed source file into our release code. The result was that the fixes in our March 3rd release were lost in the latest v1.6 build. The code itself wasn't actually lost and was properly secured in our source control vault; we simply had to remove the stale file and reapply the fix with the good file.

In discussion with some of my peers at other software companies serving the SMB space, most of them said I should simply release the fix quietly and move on. I don't think that is fair to our clients. I think you should know when we make a mistake like this. And more importantly, I think you should know what we have done about it. Here is a list of the outcomes from this experience:

  • We have updated our stable build system to ensure it can no longer check out code except for its particular branch. Each major release will now include a complete file structure backup to match this to ensure we do not "break" old code.
  • All critical bugs reported in the Defect Tracking System now must be accompanied with an automated functional test script. It is the responsibility of Customer Service to ensure that QA knows of the defect and that QA builds the appropriate test(s) for the developers before they are assigned the bug. If a test cannot be provided, a detailed manual test document must be included.
  • No developer is allowed to check in code until it passes the automated test(s).
  • Once the developer has checked in the code to fix a defect, the automated test will be merged into the automated test system that runs all daily tests, to ensure we do not reintroduce a bug. This in itself would have alerted us to our recent mistake, and prevented us from releasing it.
  • Once a critical bug is fixed, it will be reviewed at the next team meeting to see if the class of bug may impact other parts of code. If so, the mandate at the company is to reduce those defects by following the above process over and over again until all code coverage is met.

I'd like to thank our clients who have been patient with us as we investigated what happened here. The fix was actually done last week, but we have not released the fix until today so we could have time to completely understand how it occured, and ensure we properly addressed it.

You can download the latest version of the agent from our Upgrade and Update Center or through our Zero Media Install website.

Posted by Dana Epp at 08:30 AM | Comments (0) | TrackBack

July 31, 2008

Major update of the AuthAnvil Windows Logon Agent released

For those customers who are deploying strong authentication with AuthAnvil to their Windows XP workstations and Windows Server 2003 servers, today we have released a new version of the AuthAnvil Windows Logon Agent which adds the following new features:

  • Provides for the ability to provide your own brand on the logon dialog for our AuthAnvil Certified Partners
  • Allows for silent mode install for batch/remote installation
  • Allows for Active Directory Software Deployment policies of the agent (via MSI) for our AuthAnvil Certified Partners
  • Allows for configuration to require a password to uninstall the agent
  • No longer requires the AuthAnvil DCOM Bridge!!

The last item is the big one for us. The elimination of the AuthAnvil DCOM Bridge will prevent the most common support case we get at Scorpion Software, which is people inadvertantly installing the agent BEFORE installing the DCOM Bridge, even though the documentation is very clear on the proper order of things. By no longer needing the DCOM Bridge, we can also now more easily deploy the agent in an automated way for those clients who wish to do so.

You can download the latest version of the agent from our Upgrade and Update Center or through our Zero Media Install website.

You can get the latest version of the AuthAnvil Windows Logon Agent Implementation Guide (which has a new Appendix describing the silent mode options now supported) here.

Posted by Dana Epp at 10:08 AM | Comments (0) | TrackBack

July 21, 2008

On-Demand Authentication for the SMB

Last week Vlad Mazek, CEO of Own Web Now, announced that they were now offering on-demand two-factor authentication services using our AuthAnvil platform as the base.

This is an exciting opportunity for the SMB, as you can now get a resilient two-factor authentication solution pre-installed and running in a dedicated data farm anywhere in the world, for less than $20/month per user. No signup fees. No need to pay for tokens in advance. No need to setup and configure a server to run our software. It just "works", out of the box. From one user to thousands, you can now get the on-demand authentication you deserve.

With Own Web Now having multiple data centers in the US, and two new ones in London UK and Sydney Australia, you can expect to get the intercontinental redundancy you would expect from such a service. From the experts who know how to build such powerful cloud infrastructure. Using software built by the experts in strong authentication for small business.

And the greatest thing is, this new two-factor authentication system is being built in to all their services. So now you can have the option to get two-factor authentication in Outlook Web Access 2007 for Exchange, in Sharepoint 2007 and in their CRM and service management platforms. And there are new services we are currently building with them that we expect to release later this year that will extend that even further in the cloud.

Vlad invited me on his company's podcast where we discuss this new opportunity for the SMB. As Vlad pointed out on the company blog:

We are extremely excited to offer this solution at just $20/user/month because it breaks the pricing barrier that kept this type of an offering from becoming mainstream in SMB. With more mobility, more cloud services, more people involved in IT systems management, two factor authentication is something to discuss with your prospects, clients, staff and bosses. Tune in and listen to us address many security pain points and how we believe this announcement solves them.

Click here to download the podcast, runtime 50 minutes.

Posted by Dana Epp at 10:00 AM | Comments (0) | TrackBack

June 23, 2008

AuthAnvil RADIUS Server gains Active Directory Awareness

For those customers who are deploying strong authentication with AuthAnvil using RADIUS, today we are excited to release a new version of the AuthAnvil RADIUS Server (v1.5.6.4) which adds a lot more functionality and increases the effective use of our product.

With this release, the AuthAnvil RADIUS Server (AARS) now includes Active Directory integration that allows you to:

  • Limit RADIUS access to a specific Active Directory Security Group.
  • Offers the ability to fail over to try a Windows authentication if the user is not a member of the RADIUS group.
  • Respect if a Windows account is disabled. If it is, it won't allow a user to log on. In this way, even if an administrator forgets to disable the user's token in AuthAnvil, but does delete or disable his account in AD... the user won't get in.
  • Check the "Remote Access Permission" dial-in privilege and respect it if it's set in the user's account.

By making this addition, it is now possible to scale the deployment of AuthAnvil in RADIUS environments and focus on subsets of users who may be at higher risk when remotely connecting to the office, and whom should require two-factor authentication. We have also added the ability to support RADIUS Proxy-State, which means you can further control this in conjunction with other RADIUS servers such as Microsoft's IAS server to provide realm or domain level proxying to the AARS.

This new engineering change also delivers an added benefit. For many entry level firewalls that support RADIUS but not LDAP, it is now possible to provide Active Directory awareness to the device through AARS. This makes it much more cost effective to add the AD awareness without having to reinvest in new network hardware.

Many thanks to Derek Kuhr from Heartland Technology Solutions for the investment of his time to listen to our design decisions and give us feedback on the architectural changes. His input was vital in helping us to determine the most effective way to provide AD integration and support common Sonicwall and Cisco VPN concentrators and firewalls that are used in the SMB market.

You can download the latest version of the agent from our Upgrade and Update Center or through our Zero Media Install website.

Posted by Dana Epp at 03:05 PM | Comments (0) | TrackBack

May 29, 2008

Update to the AuthAnvil RADIUS Server released

For those customers who are deploying strong authentication with AuthAnvil using RADIUS, today we have released a new version of the AuthAnvil RADIUS Server (v1.5.4.1) which fixes a couple of bugs and resolves a few known issues, including:

  • You no longer have to remove the domain name in Connection Manager when connecting to SBS servers.
  • You no longer receive an async UDP socket error if you send multiple login requests at the same time from the same IP.
  • You can now use periods, underscores and underlines in the username.
  • The aaradiustest tool exception handling has been refactored to handle more general usage.
  • There have been performance improvements in the initial handshaking.

You can download the latest version of the agent from our Upgrade and Update Center or through our Zero Menu Install website.

Posted by Dana Epp at 01:53 PM | Comments (0) | TrackBack

May 27, 2008

Preventing administrator access to RWW with AuthAnvil RWWProtect

For those people that didn't tune into the radio broadcast last week, Scorpion Software released a FREE tool to the community called "AuthAnvil RWWProtect" that allows better control of administrative logon behaviour for Small Business Server's Remote Web Workplace (RWW). Included in this is easier to understand logging for RWW, and the ability to also add two-factor authentication (2FA) to RWW for administrators if you wish to.

My favorite quote from the community comes from Kerry Brown, who after hearing about RWWProtect sent an email to me that simply said:

Thank you Dana! I have a couple of servers that are being hammered on RWW very early every morning for a couple of hours. Every morning I have to figure out where it's coming from and block the IP. Now I don't have to wade through firewall logs to find the IP and I can block admin access. Thank you, thank you.

So if you want to prevent administrators from logging into your network via RWW, then feel free to download your own copy today. It is absolutely free. Of course, if you also want to add 2FA, you might want to check out our AuthAnvil product at www.authanvil.com. (In case you aren't a customer already :-) )

You can check out AuthAnvil RWWProtect here.

Posted by Dana Epp at 05:25 PM | Comments (0) | TrackBack

May 20, 2008

Announcing the AuthAnvil Virtual Lab

When it comes to two-factor authentication (2FA), it is sometimes difficult to evaluate the varying solutions that exist out there. Having to buy NFR product from every vendor isn't always the best way to handle it, and can get rather expensive fast. Some vendors have battled this by sending out a single token on request, leaving you to try to fend for yourself. You wait weeks for the delivery, only to find it doesn't actually include all the software and agents that you will need or be using.

In the SMB space, that sort of patience doesn't exist. You won't wait, and you definitely won't spend the money on NFR product. So at Scorpion Software, we decided to take a different approach. The old days of archaic snail mail demo tokens are gone!

Introducing the AuthAnvil Virtual Lab.

Ever wanted to try out AuthAnvil, but weren't sure how it would work? Ever wanted to do something weird with AuthAnvil, but didn't want to screw up your production environment? Really want to see how easy it is to install? No problem.

Quickly evaluate and test Scorpion Software's newest products through a series of guided, hands-on labs you can complete in 60 minutes or less. You can schedule time in the AuthAnvil Virtual Lab at your convienence, for free.

Leveraging virtualization technology, the AuthAnvil Virtual Lab team will continue to produce various public and private LAB sessions that you can book. Partners will enjoy the ability to use private labs showcasing new technology, and even challenge your technical skills on purposely "broken" environments you can practice on. ISVs working with us to provide an "AuthAnvil Protected Solution" can book time to integrate their product with ours, and can even join us by offering their own demo product to include in the LAB. Imagine being able to test critical LOB applications right on the LAB machine!

And don't worry if you break it. Every hour the system wipes the disks and preps an entirely new set of virtual machines for the next set of users.

Right now we have two LABs for you to try. The first is a clean Windows Server 2003 environment which you can use to try installing AuthAnvil yourself. The second is a completely preinstalled environment, allowing you to see AuthAnvil in action on your own time. Try out the AuthAnvil Manager, Windows Logon Agent, Web Logon Agent and RADIUS server all without even having to install it.

Have suggestions or ideas for new LABs? Let us know. We are dedicating time to make sure you have the environments you need to properly evaluate, test and deploy AuthAnvil, as well as provide an interesting way to educate your staff on how to configure and use our products.

Want to give it a try? Visit the AuthAnvil Virtual Lab today.

Posted by Dana Epp at 11:38 AM | Comments (0) | TrackBack

May 15, 2008

Protecting Kaseya with AuthAnvil? Please read this!

To all our customers that are using AuthAnvil to provide strong authentication and identity assurance to the Kaseya IT automation system, you will want to upgrade your Web Logon Agent to v1.5.3.7 from the Upgrade Center. Let me tell you why.

In our original agent, we trapped logon requests directly in stream, allowing for authentication to AuthAnvil in the same process space of Kaseya. This worked fine to handle Kaseya's internal methods for communicating with itself along with the whitelisting functionality that exists. It broke Kaseya reporting and alerting in an ugly way when we changed the architecture to authenticate AuthAnvil on a different web site with our last release.

It appears Kaseya's system is not capable of handling HTTP 302 redirect requests, and prevents the ability to redirect to an authentication service and back directly. You will see instead (if you log in as a master administrator) a dialog box pop up stating that due to a misconfiguration it cannot communicate with localhost.

If you have the AuthAnvil Web Logon Agent installed and run through Kaseya's diagnostic steps as defined in their KB280006 article, their curltest diagnostic tool will show it can indeed communicate with the server, and that it sees the 302 request. It simply doesn't honour it.

We have reached out to Kaseya to work with their development team to see if they can start honouring the HTTP standard in this regard, but we realize you guys need a solution sooner than that. As such, we have created a special "fix" that will enable our clients who use Kaseya to properly secure their portal.

There is a new registry switch called "AllowLocalHost" which will whitelist 127.0.0.1 without the need for a redirect, effectively enabling Kaseya to communicate with itself while still allowing for AuthAnvil strong authentication protection. This will bypass the need for a tamper resistant session cookie, and will allow Kaseya to properly allow the requests in.

The downside to this approach is that it means that if you use this switch, you cannot enforce strong authentication on the IIS server itself if a user goes to https://localhost to access Kaseya. So plan your protection scope carefully. If you wish for enforce strong authentication for particular admins, do not give them log in rights to the IIS web server itself.

During review of this fix and analysis of the possible attack vectors opened by providing it, we are confident this method balances the usability needs for Kaseya with the security requirements of AuthAnvil. We have NOT made this switch available in the general UI, making you complete the change manually. You can read more on how to do this in the AuthAnvil Web Logon Agent Implementation Guide.

Many thanks to the various Kaseya customers who allowed us to roll out this fix for testing in the last week. We appreciate your trust and patience with us. You know who you are ;-)

Posted by Dana Epp at 11:46 AM | Comments (0) | TrackBack

May 06, 2008

Major update to the AuthAnvil Web Logon Agent released

For those customers who are deploying strong authentication with AuthAnvil to their IIS web servers, today we have released a new version of the AuthAnvil Web Logon Agent which significantly changes the behaviour of the authentication process to make it much cleaner and faster.

By moving the AuthAnvil Web Logon Agent into its own website within IIS, AuthAnvil can now:

  • Protect dedicated web applications that have restrictive Web.Config files that will not permit AuthAnvil to function properly
  • Enforce the requirement of SSL communications for all authentication requests.
  • Ensure AuthAnvil gets the proper Application Pool that it requires, reducing configuration problems.
  • Significantly speed up authentication processing.
  • Protect Sharepoint and more specifically Small Business Server's companyweb.
  • Allow for a larger number of whitelisted IPs. You can now have more than a single subnet.

You can download the latest version of the agent from our Upgrade and Update Center.

We have also updated the Web Logon Agent Implementation Guide. You can download it from our Content Library.

Many thanks to EON Consulting, Xact Data Discovery and Bulletproof Networks for working with us as we ironed out the various issues with the beta of this release.

Posted by Dana Epp at 02:09 PM | Comments (0) | TrackBack

March 12, 2008

Deprecation of Firewall Dashboard

For those of our customers that use Firewall Dashboard (FWDB) for their firewall analytics, we would like to announce that we will be deprecating the product. As of March 30th 2008, you will no longer be able to download FWDB or purchase it from our online store. Existing customers will be able to continue to get full support for the length of their subscription. Customers with unused subscriptions will still be able to activate them within the next twelve months.

Why are we doing this? It is our belief that FWDB has been a great product for providing analytics for external firewall access for common firewalls in the SMB space. It can generate graphical reporting on the activities of the external interface of the firewall in the matter of minutes, allowing for human heuristics to focus in on significant events; in many cases it filters down hundreds of thousands of events into isolated incidents of interest. And we have seen many of our customers find network problems, scripted attacks and even a few targeted attacks that were identified... and resolved.

With that said, we have found that the product is aging. The next version of SBS will not include ISA 2004 built in, and we currently do not have support for ISA 2006. Sonicwall has updated their logging format which has caused some difficulties in parsing logs, and many of the firewall vendors that used to support WELF have now either abandoned it or changed their logging significantly. This means we had to either apply developer resources to the product to make it more current, or consider alternatives.

When we consider the number of downloads we continue to receive, we notice that a lot of customers are downloading the product and using it in a trial or expired mode. In other words, the watermarking is not a large enough deterrent to have many customers purchase or renew their subscription. When we consider that in conjunction for the awesome work we are doing on our other products, we have decided that our paying customers would be best served if we focused our business and development resources on AuthAnvil.

We thank all customers that have been so supportive as we made this decision. Many of you have already been contacted by someone in the company about this. We will continue to support the product until all activated subscriptions have fully expired, at which time it will be retired from our systems.

So where do you turn? What will you be able to use after your subscription expires? There are a few vendors out there that are now supporting both external and internal reporting. Of course, these are considerably more expensive that FWDB and may or may not be as easy to use. If you are a vendor of such product for the SMB space, please let us know. We would be happy to introduce our community of FWDB users to your product if it can meet their needs.

Posted by Dana Epp at 12:18 PM | Comments (0) | TrackBack

March 11, 2008

New version of the AuthAnvil Web Logon Agent released

For those customers who are deploying strong authentication with AuthAnvil to their IIS 6 web servers, today we have released a new version of the AuthAnvil Web Logon Agent which adds new functionality to allow you to protect complete Web Sites, and not just Virtual Directories. We have also made it possible to edit the logon page to allow you to add your own corporate brand, graphics and content if you wish.

This new architecture is a prelude to our upcoming integrated Sharepoint support. You can download the latest version of the agent from our Upgrade and Update Center.

Posted by Dana Epp at 09:30 AM | Comments (0) | TrackBack

March 03, 2008

New version of the AuthAnvil Windows Logon Agent released

For those customers who are deploying strong authentication with AuthAnvil to their Windows XP workstations and Windows Server 2003 servers, today we have released a new version of the AuthAnvil Windows Logon Agent which addressess the following issues:

  • Case 432: The agent now honours the group policy setting to "Not show last logged on user"
  • Case 622: The agent has been fixed to allow "locked" workstations where the user is part of the override group to actually log in without their passcode.
  • Case 633: The agent honours debugging and diagnostics flags, removing the unneccessary warnings in the eventlog every 2 minutes on some machines

You can download the latest version of the agent from our Upgrade and Update Center.

Posted by Dana Epp at 10:25 AM | Comments (0) | TrackBack

February 11, 2008

AuthAnvil v1.5 Released

The day has finally arrived! Thank you for your patience.

Scorpion Software is pleased to announce that AuthAnvil v1.5 is now available for download. All current customers should visit the AuthAnvil Upgrade Center for download and upgrade instructions. You will find more information in an email delivered to you earlier today.

So whats new?

For starters, there are plenty of fixes and updates to the core system. There are over 50 usability bugs that have been fixed ranging for faster communication in the AuthAnvil DCOM Bridge to support for periods in AuthAnvil usernames.

We also include a few new things:

  • The new AuthAnvil Web Logon Agent. You can now add strong authentication to web applications using Virtual Directories in IIS6. Look for an update that will also protect complete websites like Sharepoint in the first half of this year.
  • The new AuthAnvil RADIUS Server. Microsoft's Internet Authentication Server is toast... as is our IAS extension. With all the problems IAS posed for our premium customers who wished to use it along with Microsoft's ISA server, we have found a better solution which also allows us to now support ful MSCHAP2 VPN,
  • More documentation. You asked for it. So it's now on the ISO.

If you have any technical questions or concerns, please visit us at http://www.authanvil.com/gethelp.html.

We wish you a great day!

Sincerely,

Dana Epp
Scorpion Software Corp.

P.S. Be patient with the download speed. As you can imagine, the server is getting hammered right now :-)

Posted by Dana Epp at 05:54 PM | Comments (0) | TrackBack

January 19, 2008

How have we made the VPN experience in AuthAnvil better?

There has been some scuttlebutt in the community about a few significant architectural changes in AuthAnvil v1.5. I thought it would be appropriate to talk about them ahead of the release to get you prepared for the upgrade.

The good news is that the changes have been welcomed, at least around here and with our partners who have had a chance to see it. We have made some significant strides to address some real problems exposed by our product in Microsoft's Internet Authentication Service (IAS), and its interaction with Microsoft Small Business Server 2003.

Since the original design of AuthAnvil, we always wanted to work within the Microsoft family of products. We felt it made more sense to leverage Microsoft's RADIUS implementation in IAS rather than write our own. It would save time in both development and testing, and would offer unparalleled implementation opportunities into the existing Microsoft infrastructure.

In v1, our solution was to take advantage of Microsoft's public API to extend their IAS product with a 3rd party extension to add strong authentication support. And it worked quite well. We have a number of customers leveraging RADIUS to provide AuthAnvil two-factor authentication for firewalls, VPN concentrators and even logon support for systems supporting PAM, including Linux and OSX workstations and servers. The problem was that this decision alienated our SBS 2003 Premium customers that are running Microsoft's Internet Security and Acceleration Server (ISA). Microsoft has a known, but undocumented, design flaw in which systems cannot have both ISA and IAS on the same server if you wish to provide 3rd party extensions and still offer VPN support. This meant that none of our SBS customers with ISA could use AuthAnvil without turning off VPN. Not a very practical solution. And Microsoft made it quite clear that they have no intensions of fixing the problem.

What was worse was that within Routing and Remote Access Server (RRAS) Microsoft decided to make design decisions that allowed for the RFC standard Password Authentication Protocol (PAP) to be used for authentication, but did NOT offer the ability to encrypt the actual payload for the VPN client. This meant that you could not use AuthAnvil with Microsoft's Connection Manager or PPTP client without exposing the data to undue risk. This simply wasn't acceptable to us, and we decided we better add support for Microsoft's Challenge Handshake Authentication Protocol (MSCHAP), which addresses this.

After analysis and research we decided MSCHAP simple would not do. Famed cryptanalyst Bruce Schneier has provided a well written and detailed paper on the fragility and weakness of PPTP due to MSCHAP from a protocol perspective. Agreeing with his conclusions, we decided to instead move to Microsoft's more recent work in MSCHAPv2, which overcomes these flaws and adds mutual authentication at the same time. This decision works rather well, as all recent Microsoft operating systems support MSCHAPv2; in Windows Vista MSCHAPv1 is not even supported.

We had originally added MSCHAPv2 support to our IAS extension in hopes to extend our existing product with the new payload encryption support. It was this decision that actually delayed AuthAnvil v1.5 from its original release date. We spent over three months working with Microsoft on various problems and difficulties that we found in this approach. It required an overhaul of the IAS extension, the DCOM Bridge, and AuthAnvil SAS that simply would not work well together. Last month we finally got the intercommunications all working correctly together and we thought we were close to release.

And then it went to testing.

We quickly found another major problem. When IAS is installed on a domain-joined system, it simply will not honour the mutual authentication hash we would provide as part of the strong authentication validation. It seems that the authenticator is built based on the user's domain password, and not able to be overridden by 3rd party extensions as expected. After intense discussion with Microsoft engineers over a period of some time it was found there may be a way to solve this, but that it would take some serious effort by both of our companies.

At that point it had been four months since we started tackling this problem. We were constantly coming across issues with the IAS API and were inadequately equipped in scope and ability to work around things. We had limited some of our client base, and quite frankly were constantly in a waiting mode working with Microsoft on solutions to problems we simply could not control. To top it off, if you have ever worked with IAS policy management, you know that it's extremely ugly when it comes to 3rd party extensions. You actually have to configure it in a way that ALLOWS packets through and HOPE that the extension handles it. If you get more than one extension installed, it is actually possible to expose IAS as an attack vector. We actually saw that on one client's network; a conflicting extension breached the security that AuthAnvil was providing. And this is not something we take lightly here.

If you know me at all, you know I thrive on complex challenges. They provide an opportunity to let us get out of our comfort zone and truly test our abilities and learn from our failures as we explore different solutions to overcome them. This was no exception. My team was constantly challenged with inadequacies in how IAS worked, and it was apparent we were relying too heavily on Microsoft to help us solve it. So I decided that we should take a different approach.

We threw out the IAS extension. That's right. IAS is gone. The very fact you can configure IAS in an insecure state and allow it to become an attack vector was unacceptable to me. As was the fact we could not rely on IAS to honour our RADIUS packet modifications to offer mutual authentication support. And eliminating the need for IAS immediately allowed us to have our clients with ISA back.

The result is the AuthAnvil Radius Server. It is a Windows service written purely in managed code, providing both PAP and MSCHAPv2 support and complete web service support to our AuthAnvil SAS. It natively installs and works on Windows Server 2003, Small Business Server 2003 and Windows Server 2008 and supports both 32bit and 64bit CPUs. It has an amazingly simple configuration wizard making it difficult to misconfigure, and impractical to break. Its support for MSCHAPv2 allows it to 'just work' with Microsoft's Connection Manager and offers strong authentication to any system supporting RFC compliant RADIUS clients. We have architected it to use 128bit RC4 encryption for the session keys, providing the highest level of encryption support available in standard PPTP clients. And it provides full mutual authentication between both the client and the server during its session.

We are very excited about this solution. It completely bypasses any reliance on Microsoft to fix their IAS server and allows us to focus on delivering strong authentication solutions to all of our customers. It has been a long few months, and we thank everyone for their positive support as we conquered these challenges. We hope you will enjoy the new update!

Posted by Dana Epp at 06:15 PM | Comments (0) | TrackBack

December 11, 2007

AuthAnvil Multi-Site Administration Configuration Guide now available!

For those customers who are wanting to use AuthAnvil to provide strong authentication for multi-site administration, today we have released the first draft of the AuthAnvil Multi-Site Administration Configuration Guide.

It provides detailed instructions on how to configure AuthAnvil across multiple client sites, and authenticate back to your main office AuthAnvil SAS. It even includes instructions on where to configure grouped users and proxied delegation across networks.

You can download this document directly from the AuthAnvil Content Library here.

If you have any comments or feedback on this draft, please feel free to email Amber Walsh at amber@scorpionsoft.com. We appreciate any and all feedback on this working document.

Posted by Dana Epp at 03:37 PM | Comments (0) | TrackBack

December 07, 2007

When is AuthAnvil v1.5 going to be released?

Recently we have been getting a bunch of emails from customers wondering when the much anticipated v1.5 will be out. We had stated that it was to come out at the end of November, and that date has slipped a bit.

I could sit and give you excuses, but the honest truth is that we have been overwhealmed. New dev and tech staff compounded with a few future looking security related design changes have had us reset the RC release testing three times. The good news is that the release is much more mature than expected in the fact that many of our v2 architecture changes are now included, which makes the next major release much closer than you think.

So when will it be available? When it's ready. Nice quick answer, but not very descriptive. The real answer is that once we can ensure the deployment of the new agents in no way impedes the existing deployments, we will be prepared to put it in the Customer Upgrade Center. I would like to say "any day now", but that will just get me in trouble.

This is a typical software vendor struggle. We need to make sure it installs and functions as best as we can for all our customers across many platforms, which is no easy task. Joel Spolsky of 'Joel on Software' fame has an excellent article on the type of issues faced when building commercial software in this way. It's a great read, and worth the time investment. Might be a good thing to do while waiting for the ISO to get to the Upgrade Center. :-)

Posted by Dana Epp at 05:43 PM | Comments (0) | TrackBack

November 16, 2007

AuthAnvil Windows Logon Agent Implementation Guide now available!

For those customers who are deploying strong authentication with AuthAnvil to their Windows XP workstations and Windows Server 2003 servers, today we have released the first draft of the AuthAnvil Windows Logon Agent Implementation Guide.

It provides detailed instructions on how to install, configure and uninstall the agent in a Windows desktop or server environment. It even includes instructions on how to manage the Active Directory Security Groups and AuthAnvil Override passwords in those scenarios where certain users may not require an authentication token.

You can download this document directly from the AuthAnvil Content Library here.

If you have any comments or feedback on this draft, please feel free to email Amber Walsh at amber@scorpionsoft.com. We appreciate any and all feedback on this working document.

Posted by Dana Epp at 05:38 PM | Comments (0) | TrackBack

September 10, 2007

AuthAnvil + RWW-Guard special expiring at the end of the week!

Last week one of our customers contacted me to let me know how pleased they were that AuthAnvil and RWW-Guard has already paid for itself. Using AuthAnvil and RWW-Guard together, they were able to detect and prevent remote access by an ex-employee trying to logon to their network.

We had another customer who was able to, for the first time, assure the identity of a remote IT consultant who was logging in to update a server. I was pleased to hear that they now require the consultant to use their token when they log in.

Now is a good time to purchase RWW-Guard and AuthAnvil together to get the same protection and identity assurance levels. On September 15th, 2007, the RWW-Guard special in our AuthAnvil Online Store will end. Take advantage of the $100 price before then and save $150 off of the introductory price when purchasing RWW-Guard with your AuthAnvil order.

Posted by Dana Epp at 12:16 PM | Comments (0) | TrackBack

August 15, 2007

AuthAnvil Community Release Party

I always love hanging out with people in the SBS community. I think its time for a party!

For those that don't know, the annual SMB Nation conference is coming up at the end of next month at Microsoft. I do hope you will be attending. If you are, PLEASE consider this a personal invitation to come by and see me. I have actually arranged with SMB Nation to get one of the presentation rooms on the morning of September 30th (the second day) to hold an "AuthAnvil Community Release Party", and I would love to have you there. Please feel free to spread the word and encourage others to drop by with you.

So what's going to happen that early in the morning anyways? Who knows. The time will be spent thanking the SBS community for your support in the feedback during the development and deployment of AuthAnvil. We will do some demoing of how it works for those who don't already know... and we will have a good time in an open floor discussion about strong two-factor authentication. And of course there will be prizes, gifts and gags. I might even be able to persuade Karl Palachuk to tell some of his (in)famous jokes. (Prepare yourself by checking out his blog at http://www.rfsblog.com/blog/) Of course, I will also be doing an official "Microsoft Security MVP" talk on mitigating business risk in a remotely accessible world later in the morning in a different room. Come join me there too.

It should be a lot of fun. I do hope you will come join me!

Posted by Dana Epp at 12:12 PM | Comments (0) | TrackBack

August 03, 2007

AuthAnvil v1.2 now shipping!

A few months ago all customers of AuthAnvil were alerted that a new v1.2 was delayed, and that when released required a major upgrade. This isn't something we take lightly; a major architectural change that affects the security and safety of the system was completed and needed thorough testing.

That testing is now done, and we have guidance on the process of upgrading for all our customers. All customers will have already received an email with this information on how to visit our Upgrade Center.

So, for those that are curious, what changed... and why?

In the original design of AuthAnvil we securely stored user PINs in a one-way hash. This prevented even administrators of the system of knowing user PINs, as it was not recoverable. This worked well and met all our requirements during threat modeling. The problem was that when we looked to add MSCHAP2 support for VPN, we couldn't. Microsoft's implementation requires that we build a one-way hash based on the PIN, OTP and other computer related information. Not knowing the PIN simply meant we couldn't do it... which wasn't acceptable and prevented us from adding this support. So to address this, we were forced to change the design of AuthAnvil to support column level encryption within SQL 2005 and store the PIN using AES encryption. This safely secures the PIN in AuthAnvil, but allows the system to recover the PIN when needed to generate an MSCHAP2 hash.

So how does this affect our customers? Well, all AuthAnvil systems will LOSE the original user PIN hashes on upgrade. We have no choice in this... we have no way to recover the original PINs... as per design. To address the administrative concerns on managing new PINs for users, we have added a new web app to allow users to change their own PIN. This will automatically be installed during upgrade.

We do appreciate your patience while we re-architected this change. This is NOT a normal process we go through, and the delays we had in this release are not typical. Thanks for understanding as we made sure we did this right.

So what now? Well... feel free to upgrade your systems to AuthAnvil v1.2. In the next month or so we will be releasing an update to the "AuthAnvil IAS RADIUS Agent" which will include the final bits for the MSCHAP2 support. The good news is that your deployment of AuthAnvil v1.2 already has the backend support... so there will be no major changes needed there. Just the agent will need to be reinstalled.

If you have any questions or concerns, please feel free to contact us. If you have any difficulties during the upgrade, please open a new support case at the Online Customer Service and Support Center and we will make sure we get you through a successful upgrade.

Posted by Dana Epp at 11:41 AM | Comments (0) | TrackBack

May 21, 2007

Delay in the release of AuthAnvil v1.2

Hey guys,

I just wanted to reach out and let everyone know that this week's release of AuthAnvil v1.2 has been pushed back. Our expected new release date is a couple of weeks off.

We recently found a problem with our interaction with RRAS and IAS (RADIUS) which we have to fix before the next release. This fix forced us to modify how we securely store user PINs in our database, and will now require a major update to all our customers in the field. We are needing to resend the ISO to testing with the new fix, and will need to create a new upgrade path for all existing AuthAnvil clients who are wanting to use MSCHAPv2 in their VPN tunnels.

Thank you for your patience as we send AuthAnvil back for another round of testing. I will send another update out when we are ready to ship the new ISO!

Posted by Dana Epp at 10:27 AM | Comments (0) | TrackBack

February 12, 2007

RWW-Guard v1.1 released!

Version 1.1 is now available for download.

This is an exciting release, as it now has native support for AuthAnvil! Why is this important? SBSers have no need to install RADIUS support to get this working with their AuthAnvil installations on SBS 2003!

We have also added a few more goodies. When using AuthAnvil as the strong authentication system, you can force the Administrator (aka the 500 account) to authentication against a DIFFERENT AuthAnvil server. This way, businesses that are managing multiple SBS boxes in the field can manage all of the administrative logons from a central IT server. If a tech leaves, you can simply revoke his token, which drops his access from ALL remote RWW logons at the same time! Meanwhile, the local business users are still managed and authenticated to their own AuthAnvil server, helping to prevent a single point of failure for all your SBS networks if your office is down.

And last, but definitely not least... we have given you the ability to determine if you wish to allow for alternate account "Impersonation". Until this release, it was possible for someone to use their username and token to authentication to someone elses account, which was by design. However if you don't like this, you can now disable Impersonation support in the RWW-Guard Manager and FORCE the Active Directory username and strong authentication username to be the same thing.

If you haven't had a chance, check it out. Along with AuthAnvil we now have a complete strong authentication solution for SBS that rivals no other!

Posted by Dana Epp at 01:14 PM | Comments (0) | TrackBack

January 01, 2007

New update for Firewall Dashboard available!

A new update is available for Firewall Dashboard. This update includes:

  • Fixed the 'expiry' issue with the console application
  • Adds the ability to filter by time by right clicking the time column in the Firewall Events view
  • Added the ability to filter FOR or IGNORE by Source IP by right clicking the Src IP column in the Firewall Events view
  • Various small bug fixes

The filtering is getting very powerful. We are seeing the ability to review a graphical threat assessment in a daily email and then filter hundreds of thousands events into a handful with just a few clicks. Try it and see for yourself!

Just download the zip, and copy over your old fw-board.dll. This will typically be located in %PROGRAMFILES%\Scorpion Software\Firewall Dashboard.

Posted by Dana Epp at 12:54 PM | Comments (0) | TrackBack

Happy New Year! Did your FWDB expire too?

If you are a Firewall Dashboard customer you may have noticed that this morning your Firewall Dashboard console says that your product has expired. What a nice New Years gift!

Apologies for that. It appears that a time out sentry put in during the beta was set to end on January 1st, 2007. We will need to update that so that you can continue to use the product. There should be an update zip in the download area of our website in the next few hours to address this. You will not have to activate the product or do anything special in the database. You will just need to overwrite a few DLLs.

Have a happy and prosperous new year!

Posted by Dana Epp at 11:40 AM | Comments (0) | TrackBack

October 30, 2006

No BONES about it, the RWW-Guard special is almost up.





No BONES about it!

RWW-Guard special is

almost up. Act now!

At the stroke of midnight tomorrow night, the RWW-Guard admin pack special will end. Take advantage of the $100/unit price (when buying the 10 unit subscription admin pack) before then and save 50% off of the introductory price.   

 





Not yet convinced that now is the time to buy?  Maybe this will help.

Past the admin pack special that expires tomorrow night, the introductory pricing will end November 15th. At that time the current pricing will expire and RWW-Guard will be sold at the MSRP of $250. That means if you buy now you will SAVE over $150 off of a single license! You know how much candy that can buy your children? Oh wait... forget that... we probably don't want them on a sugar high.

All silliness aside. We do hope you will take advantage of this offer and use the promo code of "rwwadmin" at our Online Company Store and save.

And we hope you will have a safe Halloween.

 

Posted by Dana Epp at 12:05 PM | Comments (0) | TrackBack

October 16, 2006

Trick AND Treat for your SBS boxes

Trick AND Treat for your SBS boxes.

Hey... Halloween is quickly approaching. Chances are, you may think you are too old to "trick or treat". Then again, we are all kids at heart. Who says you shouldn't be allowed to get the tricks AND the treats???

  • Trick: Did you know you can use RWW-Guard to limit administrative access to remote SBS servers, in an effort to better protect your clients from unauthorized access?

    You can even limit the impact of employees who may leave your company and know your client's admin passwords by simply revoking their authentication token from your central strong authentication system (SAS). They won't be able to logon to RWW, even if they DO know the password, without having a valid token!

    If you administer a lot of SBS servers, you can quickly see how beneficial this could be to your business.
     

  • Treat: Until the stroke of midnight on Halloween you can use the promo code of "rwwadmin" at our Online Company Store and receive 50% off of the introductory pricing when you buy more than 10 individual licenses of RWW-Guard. Buy Now.  

Have a safe Halloween!

Posted by Dana Epp at 01:18 PM | Comments (0) | TrackBack