cancel
Showing results for 
Search instead for 
Did you mean: 

SSO - Please tell me what is wrong with this idea

Jump to solution

A quick question about Single Sign On with McAfee Endpoint Encryption.

When using SSO, the user is prompted for the password at the usual Safeboot logon screen. When the logon here is accepted, it will proceed to logon to Windows automatically.

Since we would now be gaining full access to the system with a single logon and password, I have been asked what the difference is between this and using an $Autoboot$ account to bypass the SB logon and simply using the Windows logon as the single point of sign on?

Presumably, the hard drive would still be encrypted, stopping an intruder using a boot CD to grab data from the drive or use the usual Windows password reset tools.

The only thing I can think of is that an intruder could load the machine to the Windows screen, plug in a network connection, and then attempt to exploit Windows vulnerabilities that wouldn't be available using SB as the SSO logon prompt.

I realise this is a bad idea, but I am after some more information on why this is the case so I can explain it to management.

Please can someone advise or point me to what McAfee say about this?

Thanks!

1 Solution

Accepted Solutions
Highlighted

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

this thread probably covers it the best.

https://community.mcafee.com/message/108773#108773

5 Replies

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

Please research older threads on this forum. This issue has been discussed thoroughly.

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

Thanks, I did searches under "SSO" and "Autoboot" but couldn't see anything that looks related from the titles (didn't check inside every thread though). It's a difficult to know what terms to search for.

Anyway, I heard back from McAfee on this, in case anyone else is wondering the same thing. They mentioned the option to use other types of tokens as a benefit of using the SB prompt, which sounds like a bit of a cop-out to me as you can use two-factor authentication (etc, etc) with the Windows logon.

Highlighted

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

this thread probably covers it the best.

https://community.mcafee.com/message/108773#108773

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

Autoboot tends to work better (more consistently) with the default password. So there's a way to mount the drive and authenticate with the autoboot in place, unless you do it carefully.

Re: SSO - Please tell me what is wrong with this idea

Jump to solution

Thanks again, guys - That is really helpful!

I'm going to go with the compliance comments in that earlier threat to justify to management rather than trying to explain the more technical aspects to them.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community