주식회사 누리아이티

지문인식카드 및 정보자산 2차 인증 보안SW 전문기업

BaroPAM solution installation guide for secondary authentication of access control to enhance security of information assets(Windows)

댓글 0

▶ BaroSolution/BaroPAM

2021. 2. 10.

1. Preparation before installing BaroPAM

 

If you want to use BaroPAM, you must set a password for the Windows user account you are using or temporarily cancel the password (password reset after installing BaroPAM).

 

Make sure that your Windows user account and password are correct, and that you have the latest updates for Windows.

 

To install BaroPAM, you need to know the version of Windows and the type of system. To do this, click "Explorer -> This PC -> Right-click" and the following screen appears.

 

 

If you click "Properties" on the screen above, a screen that provides system information such as Windows version and system type appears.

 

 

Check the version and system type of Windows on the screen above, and download the BaroPAM installation module accordingly.

 

The URL to download of the BaroPAM installation module is as follows.

 

http://nuriapp.com/download/baropam_setup_x32.zip ==> Windows 7, 8, 10, 32bit

http://nuriapp.com/download/baropam_setup_x64.zip ==> Windows 7, 8, 10, 64bit

 

 

2. BaroPAM installation

 

Move to the directory where the BaroPAM installation module was downloaded and proceed with the installation of BaroPAM in the following order.

 

First, when the compressed BaroPAM installation file (baropam_setup_x64.zip) is uncompressed, the following "baropam_setup_x64" directory is created.

 

 

(If you select "Explorer -> View -> Hidden Items" in the administrator account, hidden files are displayed.)

 

- Installer: pam_baro_setup_x64.exe

- Configuration file: pam_baro_acl.ini, pam_baro_db.ini

- BaroPAM module: baropam_x64.dll

- Logo file: BaroPAM.bmp

- ntp client setting: ntpclient_setup.bat

- OpenSSL module: libssl-1_1-x64.dll, libcrypto-1_1-x64.dll

- Registry file: register.reg, Unregister.reg

- VC Runtime module: vcruntime140.dll

 

Second, to execute the BaroPAM installation file, select the "baropam_setup_x64.exe" file and click the right mouse button to display the following screen.

 

 

Third, BaroPAM must be run with administrator privileges during installation, so if you click "Run as administrator" on the screen above, the following "User Account Control" screen appears.

 

 

Fourth, since BaroPAM installation must be done with an administrator account, you need to click the "Yes" button after checking the contents of the "User Account Control" screen. Then, the "BaroPAM Intro" screen appears.

 

 

If the "BaroPAM Intro" screen does not appear, the "Windows PC Protection" screen may appear as follows.

 

 

Clicking the "Do not run" button cancels the installation of BaroPAM.

 

After checking the contents of the screen above, click "Additional Information" to display the following screen.

 

 

Clicking the "Do run" button brings up the "BaroPAM Intro" screen above, and clicking the "Do not run" button cancels the BaroPAM installation work.

 

Fifth, the "BaroPAM Intro" screen lasts for 3 seconds, and then the "BaroPAM Setup" screen that allows you to set up the BaroPAM environment for Windows appears as follows.

 

 

Limited number of times (1~10 times)

 

Set the limit number (1~10) of one-time authentication keys. If the limit number is not entered or is out of range, the following message appears on the screen.

 

 

Limited time (15~600 sec)

 

Set the time limit (15~600) of the one-time authentication key. If the time limit is not entered or is out of range, the following message appears on the screen.

 

 

For the time limit, when attempting to log on to Windows by accessing remotely, and if the logon fails as many times as the limit during the time limit, the logon screen of the remote accessor who attempted to log on is forcibly closed.

 

Authentication Method

 

The one-time authentication key authentication method is selected from app1, app256, app384, app512 when using the one-time generator BaroPAM app, and card1, card256, card384, and card512 when using the BaroCARD authentication card.

 

Correction time

 

When the authentication method is using the BaroPAM app, specify "0", and when using the authentication card BaroCARD, specify the correction error time (default: 900 seconds) of the authentication card.

 

Secure key

 

The secure key granted for each information asset is a mandatory input item. You must enter the secure key given by requesting the vendor.

 

If you enter a random "Secure key" that has not been granted by the vendor, an incorrect one-time authentication key may be given and you may not be able to log on to the information asset.

 

If the secure key set in the information asset and the secure key of the one-time authentication key generator are different from each other, the one-time authentication key may be different and you may not be able to log on to Windows.

 

If you do not enter the secure key or are out of range, the following message appears on the screen.

 

 

Access control list type

 

Select whether to "Allow" or "Deny" secondary authentication (additional authentication) when logging on to Windows.

 

If "Deny" is selected, only the user account set in the ACL (pam_baro_acl.ini) is allowed except for the secondary authentication (additional authentication) and user accounts that are not set.

 

If "Allow" is selected, secondary authentication (additional authentication) is allowed only for user accounts set in the ACL (pam_baro_acl.ini), and user accounts that are not set are excluded.

 

Are we going to prevent main-in-the-middle attacks?

 

In order to prevent man-in-the-middle attacks, if "Yes" is selected, other users cannot log on to Windows during the authentication cycle of the one-time authentication key. If "No" is selected, the one-time authentication key Allow all users to log on to Windows regardless of the authentication cycle.

 

Emergency scratch code

 

Emergency scratch codes can be set up to 5 8-digit numbers in case the one-time authentication key generator cannot be used or is lost, and when the emergency scratch code is used to log on to Windows, the used emergency scratch code is automatically deleted.

 

Enter the emergency scratching code to be added using 8 digits.

Clicking the "Add" button adds the emergency scratching code entered in to . If you want to delete the added emergency scratching code, double click the emergency scratching code in and it will be deleted in .

 

If you add more than 5 emergency scratching codes, the following message appears on the screen.

 

 

ACL Username

 

Register a user account that should allow or deny secondary authentication (additional authentication) when logging on to Windows.

 

Enter the user account to be added.

Clicking the "Add" button adds the user account entered in to . If you want to delete the added user account, double click the user account in and it will be deleted in .

 

Working with database

 

When user authentication is used by linking the database when logging on to Windows, clicking "Working with database" at the bottom shows the following screen for setting the database linkage information.

 

 

In the screen above, enter the database name (database name to be linked), user ID (account that can access the database), password (password for the account), and user information SQL statement.

 

SELECT <PHONE_NO> AS PHONE_NO, <CYCLE_TIME> AS CYCLE_TIME FROM <TB_USER_INFO> WHERE <USER_ID> = :USER_ID

 

<PHONE_NO> : Column name with phone number

<CYCLE_TIME> : Column name with one-time authentication key generation cycle

<TB_USER_INFO> : Table name with login-ID

<USER_ID> : User-ID to search for user information, which must be the same as Windows Logon-ID.

 

Other parts must not be modified.

 

After entering the information to be linked with the database, you must click the "DB Test" button to test whether the database integration and user information are inquired.

 

If the database integration is successful, a message containing the following user information (user-ID, phone number, creation cycle) appears.

 

 

If the database integration fails, the following message appears, check the database integration information, and then change the integration information.

 

 

Sixth, if you click the "Save" button to save the BaroPAM configuration information, the following message appears.

 

 

Selecting the "Yes" button saves the settings in the "BaroPAM Setup" screen, exits the "BaroPAM Setup" screen, and proceeds with the BaroPAM installation.

 

If you select the "No" button, the settings set in the "BaroPAM Setup" screen are not saved, the "BaroPAM Setup" screen is closed, and the BaroPAM installation work is terminated.

 

Seventh, if you select "Yes" on the screen above, vcredist programs that are essential when you want to run programs composed of Microsoft Visual C++ in Windows 32bit and Windows 64bit environments are as follows "Microsoft Visual C++ 2015- The 2019 Redistributable (x64)-…" installation screen appears.

 

 

If it is already installed, the following "Microsoft Visual C++ 2015-2019 Redistributable (x64)-…" installation modification screen appears.

 

 

In this case, because it is already installed, click the "Close" button instead of clicking the "Repair or Uninstall" button.

 

C++ programs developed with versions after Visual Studio 2005 should have Redistributable installed. If not, the following error message occurs when logging on to Windows and BaroPAM is not applied.

 

 

Eighth, check the "MICROSOFT software license terms" in the "Microsoft Visual C++ 2015-2019 Redistributable (x64)-…" installation screen, select "I agree to the license terms and conditions" and click the "Install" button. As shown, the "Setup Progress" screen appears.

 

 

Ninth, when the installation of "Microsoft Visual C++ 2015-2019 Redistributable (x64)-…" is completed normally, the following "Installation Complete" screen appears.

 

 

Tenth. If you click the "Close" button on the screen above, the following "Registry Editor" screen appears to register BaroPAM in the registry of Windows.

 

 

Eleventh, if you click the "Yes" button to register the BaroPAM registry after checking the contents of the "Registry Editor" screen, the following "Registry Editor" screen appears.

 

 

If you click the "OK" button on the screen above, the registry registration of BaroPAM is completed.

 

Twelfth, the following message appears after copying the module to the BaroPAM installation directory.

 

 

If you click the "OK" button on the screen above, the installation work of BaroPAM is completed.

 

Note) After installing BaroPAM, do not reboot Windows, but use "Windows+L" to test.

 

The details and format of the authentication log logged when logging on to Windows (pam_baro_auth.log) are as follows.

 

1) Logon success

 

Use emergency scratch code

2018.10.14 11:46:02-0537 : BAROPAM-PC : emergency scratch code : User baropam authentication success (local ip=1.234.83.169,remote ip=0.0.0.0)

 

Use one-time authentication key

2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : User baropam authentication success (local ip=1.234.83.169,remote ip=0.0.0.0)

 

 

2) Logon failure

 

Verification failure

2018.10.14 11:46:02-0537 : BAROPAM-PC : emergency scratch code : User baropam authentication failed (local ip = 1.234.83.169,remote ip=0.0.0.0)

2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : User baropam authentication failed (local ip = 1.234.83.169,remote ip=0.0.0.0)

 

No authentication key authentication cycle

2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no cycle time for user baropam (local ip = 1.234.83.169,remote ip=0.0.0.0)

 

No authentication key entered

2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no verification code for user baropam (local ip = 1.234.83.169,remote ip=0.0.0.0)

 

No authentication key

2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no secure key for user baropam (local ip = 1.234.83.169,remote ip=0.0.0.0)

 

If the Windows time is different from the current time, the one-time authentication key does not match and the one-time authentication key does not match.

 

Recently, it is possible to set the system time as the current time in the administrator account using NTP (Network Time Protocol) as a method of time synchronization for server/network equipment (time server time synchronization). (Refer to "1.4 NTP (Network Time Protocol) Settings")

 

If you cannot log on to Windows, boot into safe mode as follows, move to the installation module directory, and click the "Unregister.reg" file to release the BaroPAM information added to the Windows registry.

 

1) For Windows 7

 

Safe mode is a mode for diagnosing the operating system, and has many functional limitations, such as using only a minimum of files and drivers for the system. However, thanks to this, it can rather help solve the problem.

 

First, click Start-Run or press "Windows Key+R" to launch the Run window.

 

 

Second, enter "msconfig" in the open field as follows and click the "OK" button.

 

 

Third, select the "Boot" tab and then select "Safe boot" from "Boot Options" as follows.

 

 

There is no need to change other options. Now restarting will boot into safe mode. However, you must deselect this option again after you are finished using it in safe mode.

 

2) For Windows 10

 

In Windows 10, the safe mode booting method using the "Function key (F8)" is in principle impossible, so another method must be used.

First, click Power on the "Start" menu and select the "Shift+Restart" menu as follows.

 

 

Second, in the "Choose an option" screen, click the "Troubleshoot" menu as follows to display PC reset or advanced options.

 

 

Third, on the "Troubleshoot" screen, click the "Advanced options" menu as follows.

 

 

Fourth, in the "Advanced options" screen, click the "Startup Settings" menu to change Windows startup behavior as follows.

 

 

Fifth, reboot Windows by clicking the "Restart" button as follows to boot into safe mode in the "Startup Settings" screen.

 

 

Sixth, press the number key (4) or function key (F4) to boot into safe mode on the "Startup Settings" screen.

 

 

Seventh, if you log on from the logon screen, it will switch to safe mode.

 

 

 

3. Windows Logon method

 

If Windows is currently logged on, "Windows+L" or when you turn on Windows, BaroPAM's one-time authentication key and BaroPAM's logon screen where you enter the Windows Username/Password appears as follows.

 

1) Windows 7

 

 

2. Windows 10(Windows 7 later)

 

 

Enter the Windows user account (Username), create a one-time authentication key on the smartphone, enter the one-time authentication key created in "Verification code" and the "Password" of Windows, and click the "->" or "Enter" button Click to request authentication from the BaroPAM module, and if the verification is successful, the logon authentication policy of the Windows OS is activated.

 

n Windows, if authentication fails in the BaroPAM verification module for the one-time authentication key entered, the following "Error" message appears on the BaroPAM logon screen.

 

 

 

4. Reset the BaroPAM environment

 

If you need to reset the environment after installing BaroPAM, proceed with the resetting of the BaroPAM environment in the following order.

 

First, in the BaroPAM installation module directory, run the following BaroPAM installation program "baropam_setup_x64.exe" file.

 

 

Second, if you run the "baropam_setup_x64.exe" file, the BaroPAM installation program, the "BaroPAM Intro" screen appears as follows.

 

 

Third, after the "BaroPAM Intro" screen lasts for 3 seconds, the "BaroPAM Certification" screen appears, which authenticates to change the environment settings of BaroPAM for Windows as follows.

 

 

Enter the one-time authentication key generated by the BaroPAM app into "Verification code:". If the entered one-time authentication key is incorrect, "Certification failed. Please re-enter your verification code." It is displayed, and the one-time authentication key must be regenerated and entered in the BaroPAM app.

 

 

Fourth, when authentication of the one-time authentication key is completed in the "BaroPAM Certification" screen, the "BaroPAM Setup" screen where you can change the environment settings of BaroPAM for Windows appears as follows.

 

 

Limited number of times (1~10 times)

 

Set the limit number (1~10) of one-time authentication keys. If the limit number is not entered or is out of range, the following message appears on the screen.

 

 

Limited time (15~600 sec)

 

Set the time limit (15~600) of the one-time authentication key. If the time limit is not entered or is out of range, the following message appears on the screen.

 

 

For the time limit, when attempting to log on to Windows by accessing remotely, and if the logon fails as many times as the limit during the time limit, the logon screen of the remote accessor who attempted to log on is forcibly closed.

 

Authentication Method

 

The one-time authentication key authentication method is selected from app1, app256, app384, app512 when using the one-time generator BaroPAM app, and card1, card256, card384, and card512 when using the BaroCARD authentication card.

 

Correction time

 

When the authentication method is using the BaroPAM app, specify "0", and when using the authentication card BaroCARD, specify the correction error time (default: 900 seconds) of the authentication card.

 

Secure key

 

The secure key granted for each information asset is a mandatory input item. You must enter the secure key given by requesting the vendor.

 

If you enter a random "Secure key" that has not been granted by the vendor, an incorrect one-time authentication key may be given and you may not be able to log on to the information asset.

 

If the secure key set in the information asset and the secure key of the one-time authentication key generator are different from each other, the one-time authentication key may be different and you may not be able to log on to Windows.

 

If you do not enter the secure key or are out of range, the following message appears on the screen.

 

 

Access control list type

 

Select whether to allow or deny secondary authentication (additional authentication) when logging on to Windows.

 

If "Deny" is selected, only the user account set in the ACL (pam_baro_acl.ini) is allowed except for the secondary authentication (additional authentication) and user accounts that are not set.

 

If "Allow" is selected, secondary authentication (additional authentication) is allowed only for user accounts set in the ACL (pam_baro_acl.ini), and user accounts that are not set are excluded.

 

Are we going to prevent main-in-the-middle attacks?

 

In order to prevent man-in-the-middle attacks, if "Yes" is selected, other users cannot log on to Windows during the authentication cycle of the one-time authentication key. If "No" is selected, the one-time authentication key Allow all users to log on to Windows regardless of the authentication cycle.

 

Emergency scratch code

 

Emergency scratch codes can be set up to 5 8-digit numbers in case the one-time authentication key generator cannot be used or is lost, and when the emergency scratch code is used to log on to Windows, the used emergency scratch code is automatically deleted.

 

Enter the emergency scratching code to be added using 8 digits.

Clicking the "Add" button adds the emergency scratching code entered in to . If you want to delete the added emergency scratching code, double click the emergency scratching code in and it will be deleted in .

 

If you add more than 5 emergency scratching codes, the following message appears on the screen.

 

 

ACL Username

 

Register a user account that should allow or deny secondary authentication (additional authentication) when logging on to Windows.

 

Enter the user account to be added.

Clicking the "Add" button adds the user account entered in to . If you want to delete the added user account, double click the user account in and it will be deleted in .

 

Working with database

 

When user authentication is used by linking the database when logging on to Windows, clicking "Working with database" at the bottom shows the following screen for setting the database integration information.

 

 

In the screen above, enter the database name (database name to be linked), user ID (account that can access the database), password (password for the account), and user information SQL statement.

 

SELECT <PHONE_NO> AS PHONE_NO, <CYCLE_TIME> AS CYCLE_TIME FROM <TB_USER_INFO> WHERE <USER_ID> = :USER_ID

 

<PHONE_NO> : Column name with phone number

<CYCLE_TIME> : Column name with one-time authentication key generation cycle

<TB_USER_INFO> : Table name with login-ID

<USER_ID> : User-ID to search for user information, which must be the same as Windows Logon-ID.

 

Other parts must not be modified.

 

After entering the information to be linked with the database, you must click the "Connection Test" button to test whether the database linkage and user information are inquired.

 

If the database linkage is successful, a message containing the following user information (user-ID, phone number, creation cycle) appears.

 

 

If the database linkage fails, the following message appears, check the database linkage information, and then change the linkage information.

 

 

The functions of the buttons at the bottom of the "BaroPAM Setup" screen are as follows.

 

1) "Save" button

 

When you click the "Save" button, first check the validity of the input items and then proceed to save them in the BaroPAM configuration files (pam_baro_auth.ini, pam_baro_acl.ini).

 

2) "Log View" button

 

Clicking the "Log View" button displays a copy of the authentication log logged when Windows is logged on in the "Windows Notepad" screen as follows.

 

 

Fifth, if you click the "Save" button to save the BaroPAM configuration information, the following message appears.

 

 

Clicking the "OK" button closes the "BaroPAM Setup" screen.

 

Note) After resetting the environment of BaroPAM, do not reboot Windows, but use "Windows+L" to test.

 

3) "Remove" button

 

If you click the "Remove" button, the first thing to do is to remove the information registered in the registry of BaroPAM and then delete the BaroPAM installation module as follows.

 

First, you need to allow the registry editor to change the device, so if you click the "Yes" button, the following "Registry Editor" screen will appear.

 

 

Second, after checking the contents of the "Registry Editor" screen, if you click the "Yes" button to remove the BaroPAM registry, the following "Registry Editor" screen appears.

 

 

If you click the "OK" button on the screen above, BaroPAM's registry removal is completed.

 

Third, the following message appears after deleting the module existing in the BaroPAM installation directory.

 

 

If you click the "OK" button on the screen above, the removal of BaroPAM is completed.

 

4) "Cancel" button

 

When you click the "Cancel" button closes the "BaroPAM  Setup" screen.

 

 

5. How to uninstall BaroPAM

 

If BaroPAM module is not used while BaroPAM is installed, remove BaroPAM in the following order.

 

1) How to delete the BaroPAM installation module

 

 

If you click the "Remove" button at the bottom of the "BaroPAM Setup" screen, first remove the information registered in BaroPAM's registry and then proceed with the process of deleting the BaroPAM installation module as follows.

 

First, you need to allow the registry editor to change the device, so if you click the "Yes" button, the following "Registry Editor" screen will appear.

 

 

Second, after checking the contents of the "Registry Editor" screen, if you click the "Yes" button to remove the BaroPAM registry, the following "Registry Editor" screen appears.

 

 

Clicking the "OK" button on the screen above completes the removal of BaroPAM's registry.

 

Third, the following message appears after deleting the module existing in the BaroPAM installation directory.

 

 

If you click the "OK" button on the screen above, the removal of BaroPAM is completed.

 

2) How to remove only BaroPAM's registry files

 

First, execute the following BaroPAM removal registry file "Unregister.reg" in the BaroPAM installation module directory.

 

 

Unregister.reg file)

Windows Registry Editor Version 5.00

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{325D6690-E5AC-4570-B15A-19A622571036}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{325D6690-E5AC-4570-B15A-19A622571036}]

 

[-HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}\InprocServer32]

 

[-HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}]

 

Second, if you run the "Unregister.reg" file, the BaroPAM removal registry file, the following "User Account Control" screen appears.

 

 

Third, you need to allow the registry editor to change the device, so if you click the "Yes" button, the following "Registry Editor" screen appears.

 

 

Fourth, after checking the contents of the "Registry Editor" screen, click the "Yes" button to remove the BaroPAM registry, and the following "Registry Editor" screen appears.

 

 

If you click the "OK" button on the screen above, BaroPAM's registry removal is completed.

 

Note) After removing BaroPAM, do not reboot Windows, but use "Windows+L" to test.

 

 

6. How to reuse BaroPAM

 

When reusing the BaroPAM module while BaroPAM is installed, re-use of BaroPAM is performed in the following order.

 

First, execute the following BaroPAM registry registration file "register.reg" in the BaroPAM installation module directory.

 

 

register.reg file)

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{325D6690-E5AC-4570-B15A-19A622571036}]

@="BaroPAMLogon"

 

[HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}]

@="BaroPAMLogon"

 

[HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}\InprocServer32]

@="C:\\baropam\\baropam_x64.dll"

"ThreadingModel"="Apartment"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{325D6690-E5AC-4570-B15A-19A622571036}]

@="BaroPAMLogon"

 

Second, if you run the "register.reg" file, the BaroPAM registry registration file, the following "User Account Control" screen appears.

 

 

Third, you need to allow the registry editor to change the device, so if you click the "Yes" button, the following "Registry Editor" screen appears.

 

 

Fourth, if you click the "Yes" button to register BaroPAM's registry after checking the contents of the "Registry Editor" screen, the following "Registry Editor" screen appears.

 

 

If you click the "OK" button on the screen above, the registry registration of BaroPAM is completed.

 

Note) After reusing BaroPAM, do not reboot Windows, but use "Windows+L" to test.

 

사업자 정보 표시
주식회사 누리아이티 | 이종일 | 서울시 강서구 공항대로 186 로뎀타워 617호 | 사업자 등록번호 : 258-87-00901 | TEL : 010-2771-4076 | Mail : mc529@nurit.co.kr | 사이버몰의 이용약관 바로가기