Protecting communications before a Windows logon
Publié le 13/2/2023
Author: Arnaud Dufournet, Chief Marketing Officer
Do you know about the GINA Mode?
Almost half of UK companies, two in five French firms, and a third of German businesses see cybersecurity as their main challenge as regards staff working from home (Okta Hybrid Work 2023). CISOs fear not only the lack of control over computer equipment once it leaves the company’s premises, but also that users might develop some high-risk habits. They are right to be worried. Half of all internet users admit they have used personal computer equipment for work-related purposes, according to a 2022 survey [in French only] on IT threats and security practices conducted by the French data security association, Clusif. This figure is up from their previous survey. A worldwide Gartner survey from 2021 reported a similar proportion. The other side of the coin, i.e. personal use of IT equipment provided for work purposes, is also a fact of life.
In a guide published in October 2022 covering (cybersecurity for SMBs in 13 questions [in French only], the French National Cybersecurity Agency (ANSSI) once again pointed out that mitigating the digital risks of a remote workforce requires the installation of “remote connection software, such as an encrypted VPN, to protect communications.” But companies also need to instill the right habits in their employees.
Users are therefore asked to open a VPN tunnel whenever they log on to Windows and start to work, i.e. start accessing web applications or documents stored on the corporate network. ANSSI strongly recommends full-tunneling mode as the VPN configuration of choice, such that all data traffic is routed through an IPsec tunnel ensuring it is fully protected. However, users do need to enable the VPN when they log on to Windows, and not only when they want to access a particular document stored on the corporate LAN.
CISOs simply cannot stand behind each user making sure they use their VPN client properly. Not every person working from home is aware that their communications and data interchanges are only protected and kept confidential when they remember to switch on their VPN.
Which is why we at TheGreenBow believe that it should be as straightforward as possible to implement such protection. This was the starting point from which we developed a feature called “GINA mode” available in the Windows Enterprise VPN Client.
What is GINA mode?
Let us immediately dispel any notions flitting through the minds of film buffs: GINA is not a reference to the famous Italian actress who passed away a few days ago. Its true meaning is altogether less glamorous, being merely the acronym for “Graphical Identification and Authentication.” First appearing with Windows 2000, it is a Windows user interface module that provides user identification and authentication functions when a session is opened. From Windows Vista and Windows Server 2008 onwards it was replaced by the Microsoft Credential Providers API.
The Windows Enterprise VPN Client’s GINA mode is based on this API, and it serves to open an IPsec tunnel even before a user logs on to Windows.
What are the benefits of GINA mode?
Opening a tunnel just before logging on to Windows offers two major advantages that enhance endpoint security. The first is authentication. When connecting to an access rights management server (such as Active Directory) within the organization’s network, a user will have to authenticate. Note that GINA mode also works with other authentication systems supported by the Windows VPN Client, such as smart cards.
Secondly, the domain controller will then update the security profiles of the workstation and the applications, in particular the firewall. This step is very important to ensure the workstation’s compliance.
Moreover, if the organization is following the ANSSI recommendation and has deployed an “All through the tunnel” configuration for its VPN clients, this will ensure that all incoming and outgoing data traffic to and from the workstation passes through the gateway and the scrutiny of the firewall. Consequently, even before the Windows session has opened, the workstation is in a secure “bubble,” without the user being aware of it. Users can then access documents on the network or online services, with the added benefit of having all their communications encrypted.
GINA mode, combined with other features such as automatic Trusted Network Detection (TND) and Always-on mode, can meet security demands while requiring zero user effort, as the tunnel is set up automatically—though only when required.
One last advantage offered by GINA is that if a user’s computer is stolen, in principle the thief does not know the login credentials required to log on to Windows. The tunnel giving access to the corporate LAN will therefore never be set up, and the thief will have no access to any data stored on the network. The company, meanwhile, can delete the session, preventing any possibility of accessing the LAN over the VPN.