What is a YubiKey?

A YubiKey is a small physical device that provides an additional layer of security when logging in to various online accounts or systems. YubiKeys have many layers of security that can be leveraged to secure credentials such as, OTP, FIDO2, FIDO U2F, Cryptography, Biometrics, and Smart Card authentication. The device can connect via USB A and USB C allowing for a wide variety of options based on your needs. The reason that a YubiKey can pass a UAC prompt is because the YubiKey is essentially acting as a keyboard, not a clipboard.

What is a UAC?

UAC(User Account Control) is a windows security tool that requires apps and/or tasks to be run as an elevated account (administrator). This process usually requires a user with an elevated account to enter their credentials to allow the task to run or application to be installed. The Windows Secure Desktop feature will not allow you to utilize the paste clipboard function when trying to paste a stored credential in a UAC prompt.

What’s the issue?

Service Desk employees will be elevating endpoints very often and encounter UAC prompts on a regular basis. Service Desk admin privileged accounts should always be complex and rotating daily! A PAM tool should be implemented to enforce strict password requirements and daily password rotation of all privileged accounts. The pushback begins when a Service Desk employee has their work efficiency crippled due to typing a very long and complex password for each user they assist. The Service Desk employee will have to type their password into a UAC prompt because of the default windows security configurations. The daily password rotation and password complexity prevents the Service Desk employee from memorizing their password. If our Service Desk employee cannot use the paste clipboard function, they will have to spend 1-2 minutes typing a complex password and that’s assuming they don’t mistype the password. The YubiKey is one of many solutions to remediate the Service Desk employee’s frustration and help maintain optimal work efficiency along with keeping privileged accounts secure.

YubiKey Prerequisites:

The specific use case we will cover will require a few prerequisites for the concept to work properly. We should already have a PAM tool configured with very specific security settings being enforced on the secret. I will be using Delinea Secret Server as our PAM tool and will lay out the required configuration of the Secret Policy and Secret Template. We will also be using the YubiKey Personalization Tool to configure the password on the YubiKey.

Secret Policy – The Secret Policy must be enforcing Check Out, Rotate password on Check-in, Heartbeat, and Auto RPC. There are many other security options you can enforce on the secret, but the ones I stated above are absolutely required for this concept to be secure. You are required to set the Checkout period to 8 hours maximum. Shorter Checkout times are preferred.

Secret Template – The Secret Template is where we can configure our Password Requirements, Character Sets, and Template Expiration. I like to set the secret to expire on template expiration with the secret’s password rotating on template expiration. Since we have the password changing on CheckIn, template expiration is up to you, but I recommend thirty days or less. Make sure you configure the password requirements to be as complex as possible requiring uppercase, lowercase, numbers, symbols and special characters requiring a minimum of 2 each. Keep in mind the YubiKey password character limit is 38 characters. 

YubiKey Personalization Tool – This is a free application that can be downloaded from the Yubico website. The YubiKey PT tool offers many security options, but the option we will be configuring today is the Static Password. Keep in mind, this option should only be used if you have a PAM tool configured and very strict security settings being enforced on the secret. Static passwords are not an exception, but if you configure the Secret Policy and Secret Template as I described earlier, you are good to proceed! Of course, you must have a YubiKey on hand!

This tool works on all Yubico devices except the FIDO U2F Security Key, the Security Key by Yubico, and the Security Key NFC by Yubico.

Link to YubiKey Personalization Tool:
https://www.yubico.com/support/download/yubikey-personalization-tools/

How to configure a YubiKey with a Secret:

If all prerequisites have been confirmed, you are ready to copy your password from Secret Server and paste the secrets password to the YubiKey. Open the YubiKey Personalization Tool app and click on the Static Password tab. You must select a Keyboard layout to be able to access the password field. Once you have entered a password in the password field, click Write Configuration.

If you have configured slot 1 in the YubiKey PT tool, then you can press your YubiKey and the password will be typed by the YubiKey. Configuration 2 is the same concept, only you hold for 2 seconds to paste configuration 2. You are now ready to paste your password into a UAC prompt utilizing a YubiKey.

In conclusion, we have discussed what a YubiKey is, what a UAC is, reviewed a use case, and how it can be applied today in conjunction with your PAM solution. As cybersecurity professionals, I believe one of the most important aspects of our skill set is to secure privileged accounts while maintaining optimal work efficiency for the end users. Implementing PAM changes is never a smooth process and having solutions to make the change easier will help everyone in the business! I hope this solution helps you with current or future projects! 

Have question or comment? Feel free to post below or send to info@cybersolve.com.