2ndAuth - Authentication for Shared Accounts
For PCI DSS compliance, as well as other policies and regulations, systems are often required to uniquely identify the individuals accessing the system. This is usually read as requiring individual accounts, and an absence of shared accounts.
For service accounts, though, this is not always feasible - services will often need to be administered and configured by a person logged on to the service account, and then the service will run unaided in the background. For each service, there are normally several administrators and operators who may interact with, and configure, that service.
So we came up with the idea of 2ndAuth - a second authentication step to be applied to shared accounts. That way, you can keep records of who is actually using those shared accounts and when.
Simple in its operation, this program waits for logons whose name matches your chosen criteria (begins with "shared", or contains "svc", for example), and in between the logon and starting up the shell, inserts its own dialog, asking for authentication from a non-shared account. This second authentication is logged in the Windows Event Log, so that an audit will disclose who was logged on for access to the shared account. Also logged are attempts to log on to the shared account where the second authentication was not performed.
We also catch attempts to log on to an existing session, through unlocking the workstation, or through Terminal Server / Remote Desktop.
Newly supported platforms: Windows 7 and Windows Server 2008 R2.
Supported platforms: Windows XP, Windows 2000, Windows Server 2003.