Utilizing a YubiKey to pass a UAC
- January 20, 2024
- Posted by: admin
- Category: Blog
What is a YubiKey?
A YubiKey is a small physical device that provides an additional layer of security when logging in to various online accounts or systems. YubiKeys have many layers of security that can be leveraged to secure credentials such as, OTP, FIDO2, FIDO U2F, Cryptography, Biometrics, and Smart Card authentication. The device can connect via USB A and USB C allowing for a wide variety of options based on your needs. The reason that a YubiKey can pass a UAC prompt is because the YubiKey is essentially acting as a keyboard, not a clipboard.
What is a UAC?
UAC(User Account Control) is a windows security tool that requires apps and/or tasks to be run as an elevated account (administrator). This process usually requires a user with an elevated account to enter their credentials to allow the task to run or application to be installed. The Windows Secure Desktop feature will not allow you to utilize the paste clipboard function when trying to paste a stored credential in a UAC prompt.
What’s the issue?
Service Desk employees will be elevating endpoints very often and encounter UAC prompts on a regular basis. Service Desk admin privileged accounts should always be complex and rotating daily! A PAM tool should be implemented to enforce strict password requirements and daily password rotation of all privileged accounts. The pushback begins when a Service Desk employee has their work efficiency crippled due to typing a very long and complex password for each user they assist. The Service Desk employee will have to type their password into a UAC prompt because of the default windows security configurations. The daily password rotation and password complexity prevents the Service Desk employee from memorizing their password. If our Service Desk employee cannot use the paste clipboard function, they will have to spend 1-2 minutes typing a complex password and that’s assuming they don’t mistype the password. The YubiKey is one of many solutions to remediate the Service Desk employee’s frustration and help maintain optimal work efficiency along with keeping privileged accounts secure.
YubiKey Prerequisites:
The specific use case we will cover will require a few prerequisites for the concept to work properly. We should already have a PAM tool configured with very specific security settings being enforced on the secret. I will be using Delinea Secret Server as our PAM tool and will lay out the required configuration of the Secret Policy and Secret Template. We will also be using the YubiKey Personalization Tool to configure the password on the YubiKey.
Secret Policy – The Secret Policy must be enforcing Check Out, Rotate password on Check-in, Heartbeat, and Auto RPC. There are many other security options you can enforce on the secret, but the ones I stated above are absolutely required for this concept to be secure. You are required to set the Checkout period to 8 hours maximum. Shorter Checkout times are preferred.
Secret Template – The Secret Template is where we can configure our Password Requirements, Character Sets, and Template Expiration. I like to set the secret to expire on template expiration with the secret’s password rotating on template expiration. Since we have the password changing on CheckIn, template expiration is up to you, but I recommend thirty days or less. Make sure you configure the password requirements to be as complex as possible requiring uppercase, lowercase, numbers, symbols and special characters requiring a minimum of 2 each. Keep in mind the YubiKey password character limit is 38 characters.
YubiKey Personalization Tool – This is a free application that can be downloaded from the Yubico website. The YubiKey PT tool offers many security options, but the option we will be configuring today is the Static Password. Keep in mind, this option should only be used if you have a PAM tool configured and very strict security settings being enforced on the secret. Static passwords are not an exception, but if you configure the Secret Policy and Secret Template as I described earlier, you are good to proceed! Of course, you must have a YubiKey on hand!
This tool works on all Yubico devices except the FIDO U2F Security Key, the Security Key by Yubico, and the Security Key NFC by Yubico.
Link to YubiKey Personalization Tool:
https://www.yubico.com/support/download/yubikey-personalization-tools/
How to configure a YubiKey with a Secret:
If all prerequisites have been confirmed, you are ready to copy your password from Secret Server and paste the secrets password to the YubiKey. Open the YubiKey Personalization Tool app and click on the Static Password tab. You must select a Keyboard layout to be able to access the password field. Once you have entered a password in the password field, click Write Configuration.
If you have configured slot 1 in the YubiKey PT tool, then you can press your YubiKey and the password will be typed by the YubiKey. Configuration 2 is the same concept, only you hold for 2 seconds to paste configuration 2. You are now ready to paste your password into a UAC prompt utilizing a YubiKey.
In conclusion, we have discussed what a YubiKey is, what a UAC is, reviewed a use case, and how it can be applied today in conjunction with your PAM solution. As cybersecurity professionals, I believe one of the most important aspects of our skill set is to secure privileged accounts while maintaining optimal work efficiency for the end users. Implementing PAM changes is never a smooth process and having solutions to make the change easier will help everyone in the business! I hope this solution helps you with current or future projects!
Have question or comment? Feel free to post below or send to info@cybersolve.com.
Leave a Reply
Contact us at the Consulting WP office nearest to you or submit a business inquiry online.
Todd is a recognized IAM and Cloud industry expert who brings over 20 years of experience in managing, advising, architecting, and deploying IGA, Authentication and Authorization, and Cloud solutions and services across IDaaS, SaaS, IaaS, and PaaS. Todd is a frequent speaker on effective risk and security practices at leading industry events. He is responsible for the oversight of CyberSolve’s business segments and for the development of strategic plans to sustain the company’s rapid growth while providing trusted advice to clients across the security and risk spectrum.
Atul has over 20 years of experience in managing, designing and implementing Customer Relationship Management (CRM) and Salesforce integrations. He has acted as a cloud-focused solutions expert in both domestic and international markets. Prior to founding CyberSolve, Atul was a Technical Consulting Director at Salesforce where he demonstrated his strong experience architecting financial services industry solutions. Atul holds a Bachelor of Engineering from Madan Mohan Malaviya University of Technology.
Shub possesses over 15 years of experience in the Identity and Access Management (IAM) industry in pre-Sales and technology architecture roles. Shubham has held various positions with SailPoint, RSA, Saviynt, and Okta. He has extensive Identity and Access Management industry technology and sales experience in both domestic and international markets as well strong knowledge of how Identity and Access Management satisfies Audit and IT compliance issues. Shub holds a 
Rajesh has served Multi-National Corporations and large organizations as a full time Vice President of Finance, Chief Financial Officer and in equivalent roles. In order to fulfill his duties as a CFO he is a Chartered Accountant, holds a Diploma in Information System Audit (DISA certified by the Institute of Chartered Accountants of India), is a Certified SAP Consultant, Certified QuickBooks Professional Advisor, and Zoho Partner with 30+ years of experience in managing Finance, Accounting and ERP Systems for Medium to Large organizations in diverse sectors.
John is an experienced IT executive with extensive business leadership, operations management, project management, technology delivery and consulting skills who spent over two decades with General Electric where he was responsible for all aspects of their Global PIM program, he was also a key member of the security assurance team for the organizations Capital business. John leads the delivery of client services across the business landscape, to include Privileged Access Management, Managed Services, Identity Governance & Administration, Cybersecurity and Cloud Services.
Luis has been facilitating IAM programs for 20+ years. He was the CRO at Clear Skye, which builds identity governance capabilities on the ServiceNow Platform. His prior experience with services companies that deliver real world identity solutions has made him a trusted resource for information security executives that he has the privilege of advising. Luis assists in the management of our global sales organization, driving revenue growth via direct sales, ensuring our customers have the best plan and solution to ensure their IAM investment achieves the lowest TCO while providing the highest ROI.
Amit brings over 15 years of Identity and Access Management (IAM) experience to the organization. He has a proven track record in providing customers with the best of breed Identity and Access Management solutions. He ensures success within all engagements by staying integrated with the customer throughout the engagement whether it is a program, project or managed services and support. Amit acts as a customer champion at all times to ensure the right solution and resources are in place to achieve the right requirements.
James leads the delivery of client services across the Identity, Access, and Authorization landscape. He has delivered projects across a wide range of products including Okta, Ping, ForgeRock, Oracle, Microsoft, Citrix, Imprivata, Radiant Logic, Axiomatics and many others. With the advent of modern cloud services, James has served as the internal cloud architect and administrator for almost 10 years and uses that experience to help users make the best use of it.
As a veteran of the Identity Governance and Administration (IGA) landscape, Tony’s career has spanned from being a hands-on Architect\Engineer on numerous industry-leading IGA solutions to building and managing industry-leading Professional Services delivery teams. Tony brings that vast knowledge to CyberSolve and the teams under his management. In recent years Tony has been instrumental in the migration away from the legacy on-prem Identity Governance & Administration solutions to modern cost-effective cloud products.
Clark is a Channels, Sales and Marketing executive with 40+ years of experience as a direct seller, Executive and Founder. His experience includes services, software and hardware sales to Commercial, Federal, and State/Local/Education entities across US Domestic and International markets. Within the IAM spectrum, Clark spent over 5 years as SailPoint’s Channel Manager, Federal & Healthcare markets. He has developed and managed Partner relationships and strategies globally, and is known for significantly growing the revenue of his partners by building trusted, profitable relationships and business strategies.