we're using Avecto Defendpoint Response Code Generator to generate 'one time-use only' response codes. The response code generator has been made available in Citrix clients and on management servers for IT employees needing the right to generate response codes. However, there's the possibility that the tool is copied and shared key is handed over to others. Also when the key is regularly changed it's easy to spread the new key again within the company and to simply use it again when you've got the tool copied once.
We've come over following two proposals to avoid this:
- Best way I could imagine would be stating an Active Directory security group where the users are stated, allowed to use the 'Avecto Defendpoint Response Code Generator'. The tool should check first, whether the user is part of an defined AD group and hence is granted to generate response codes.
Second idea also would avoid spreading the shared key would be
- to predefine the shared key within the tool "Avecto Defendpoint Response Code Generator" without the need to put in the shared key manually. As soon as the key is changed, also the 'Avecto Defendpoint Response Code Generator' would have to be recompiled with the new predefined key and the tool can be replaced at the communicated locations (like citrix environment and management servers). To avoid also copying the tool, there should be also a way to define the client names where the tool can be run. To enable also use on Citrix there would be a need of defining wildcards for client names.
Both options have the goal to avoid spreading the ability to generate response codes within the company.
Thanks guys for looking into that.