In-Depth
Biometric Security Products
Wouldn't it be nice if your computer just knew you! Security Advisor's Roberta Bragg evaluates several solutions.
- By Roberta Bragg
- 04/01/2002
In a recent movie, a terrorist cut off the finger of a federal agent
and used it to access restricted airport facilities. In another, a dead
bad gal's severed digit is used repeatedly to access restricted areas
of the evil empire's headquarters. When she returns to life and attempts
to enter an area where the system already thinks she's present, the alarm
is raised.
Good Hollywood stuff; but highly unlikely. Biometric scientists tell
me that once you take away the blood supply, within minutes the unique
whorls and dips of a fingerprint are no longer in any condition to function
as acceptable input for scanners. So put your fears away; securing your
network with biometrics won't give new meaning to the word "hackers."
There will be no chopping of fingers or hands; no poking out of eyeballs;
no surgical voice box implants. Instead, biometrics will challenge you
in other ways.
I'd like to introduce you to some examples of biometric products currently
on the market. I've installed, configured and briefly tested these toys
and found a surprise or two that makes me question the use of biometrics
on a Windows network. As they say in the salesroom: Your mileage may vary.
All Body Parts are Not Created Equal
Biometrics is based on the premise that many body parts are unique.
That is, no two of something exist in the world. While I don't think that
we have proven that beyond a reasonable doubt, I do find the use of biometrics
for authentication a compelling development. While I could not give you
broad coverage of every vendor (several hundred exist), nor even an introduction
to every biometric technique, I hope I can whet your interest and hope
that you will seek out these techniques.
There are several important items to consider when choosing which one
will become your champion. First, you must decide which type of biometric
is right for your situation. The Biometric Consortium, www.biometrics.org,
describes 10 classifications: face, fingerprint, hand and finger geometry,
handwriting, iris, multimodal (using more than one technique), retinal,
vein, voice/speech and various/others. Each must be judged on accuracy
(how likely are false positives? False negatives?), acceptance (many people
resist the use of retinal scanning, as the requirement for placing your
eye against a plastic cup is considered too intrusive and perhaps a health
risk), cost (less than $100 for some fingerprint scanners to thousands
of dollars for some access control systems), and intended use (network
or computer authentication? access control such as building entry?). In
addition, you must determine whether you want "verification," the ability
to find and compare the offered template with that of the named user,
or "identification," the finding of an unknown user by comparing the offered
template with an entire database. Finally, to make sure that spiffy biometric
gewgaw is not just another panacea you should allow adequate time to thoroughly
test it in your environment.
| Product
Information |
|
BioPassword 4.5 (4.6 is currently in beta)
$100 per seat for 50 seats Technology: Keystroke Dynamics
Net Nanny Software International, Inc.
Bellevue, Washington
(425) 688-3008 www.biopassword.com
VeriVoice Security Lock (SL) beta
VeriVoice, Inc.
Princeton, New Jersey
(609) 452-9220 www.verivoice.com
EyeD Hamster, $119 EyeD OptiMouse, $139
SecuGen
Milpitas, Calif.
(408) 942-3400 www.secugen.com
Panasonic Authenticam Camera, $199.99
Iridian PrivateID and SecureSuite software
Provided by
StrikeforceTechnologies
West Orange, New Jersey
(866) 787-4542 www.strikeforcetech.com
|
|
|
Magic Fingers at Work:
BioPassword 4.5
Mrs. Johnas, my ninth grade typing teacher, said she could always recognize
her students by looking at the paper they typed or listening to the sounds
they made while working. The strength of each finger produced a different
imprint on the page, and the tympanic rhythm that resulted from the combinations
of their keystrokes was as unique as the faces frowning over the errors
we made. One day we blindfolded her and switched desks, then asked her
to walk up and down and identify us. She got every one right.
Research now confirms what Mrs. Johnas knew all along—how we type
is unique. There's a pattern to the ways we strike the keys, the timing,
strength and force. BioPassword is a biometric product based on these
facts. BioPassword does not replace the simple user ID and password model.
Instead it adds a layer of protection. Once the product is installed,
each user must register by typing her Windows user ID and password a number
of times. This creates a template which can later be compared with one
made when she logs on. If there is a match between the sample made during
logon and the template on file, the user is logged onto the network. If
someone else tries to enter the same information, that template will be
different and a brief error message tells that person that access has
been denied. This means even a sophisticated password-cracking product
is useless. You may know my user ID and my password, but you'll never
type the same way that I do.
Installation, Setup and Testing
NetNanny, the producers of BioPassword, provided me with a 10-user
license, brief documentation and a warning to install the server before
the client. Loading the server software on a Windows 2000 domain controller
was quick and easy. Because there's no specialized hardware, there were
no drivers, cables or connection issues. Once installed, a small BioPassword
utility (see Figure 1) is the only visible part of the product. Here you
configure things such as how many times the ID and password must be typed
for registration, and also identify workstations and user accounts.
 |
| Figure 1. The set-up utility for BioPassword. |
Loading the client on Windows 2000 professional was also a snap. As I
logged on for the first time from the new client, I had to register by
typing in my user ID and password 15 times. This is the default and recommended
number. You can set the product to accept fewer repetitions, but this
may make the system less accurate. Later, when I changed my password,
the registration process was repeated.
I had hired two guys and a chain saw to clean up the ice storm that produced
wood piles in my yard, so I invited them in for cookies and to register
as users in my domain. Then we took turns trying to logon as each other.
It didn't work. That is, BioPassword, like Mrs. Johnas, could not be fooled.
The limb guys were soon bored and left to do "real" work.
So what happens if I cut off my finger?
Having often broken bones, sliced fingers and otherwise corrupted
potential logon keys, I wondered what would happen to a BioPassword protected
system then. Well, I'll go a long way to bring authenticity to these authentication
tests, but I draw the line at bodily damage. Instead, I twisted my hands
akimbo and for good measure typed using three fingers instead of ten.
Sure enough, like the BioPassword documentation warning says, I could
not get in. However, as the docs note, an administrator could remove my
account registration, thus allowing me to register again. My new typing
style would be recorded as the correct one, and allow me to continue working.
Best Practices, Problems and Things to Think about
Whenever considering any biometric or other change to your authentication
system, you need to keep in mind things beyond ease of use and user acceptance.
First, you need to develop a policy for how the product will be used.
Second, you need to assure yourself that the product's idea of security
and yours mesh. BioPassword can work to protect your network because even
in the case where a user ID and password are compromised, an intruder
still cannot gain entry. He can't reproduce your user's unique typing
style, and BioPassword has mechanisms in place they believe will repel
attempts to play back any recorded exchange between client and server.
But as the implementer of biometric products on your network, you have
a part in this process too. If you do not insist on every user in your
organization using the biometric, then you have left a hole that any attacker
can potentially find and use. If you do not audit and monitor logon activity,
you will never know if someone is attempting to break in, or perhaps has
found a way to compromise the product. No vendor can produce a product
that will never, over time, become the victim of a successful attack.
Caveat: If you do insist on 100-percent compliance with this biometric,
what happens when the administrator gets locked out, or leaves before
his replacement arrives? In most networks more than one administrator
exists, so the other one can allow the first to register again. In the
smaller network, with one administrator it is always advisable to assign
an "emergency" administrative level account to some other employee—not
for general use, but for just such an emergency. Make sure that employee
registers that account as well as a normal user account for BioPassword
authentication. NetNanny tells me that in the future, they may introduce
a challenge and response series of questions that can be used should an
administrator be locked out.
| Uses
of Biometrics |
|
Lest you think that biometrics is of no use in the
real world, here are some places that these technologies
are already being used:
Identification Facial recognition technology
is used in casinos to spot known troublemakers.
Physical access Voice services over the
telephone by Home Shopping Network and Charles Schwab
Hand geometry US Immigration and Naturalization
Service's Passenger Accelerated Service System to identify
and process pre-enrolled low risk frequent travelers
(citizen-verification) readers.
Fingerprint scanning DisneyWorld season
pass holders; Chicago airport employees
Iris scan EyeTicket, a test program at
Charlotte /Douglas International Airport in North Carolina
and a few others.
Facial recognition East London borough
of Newton's 200+ facial recognition surveillance cameras.
|
|
|
Biocontainment
Biocontainment is defined as the process of preventing the spread of disease.
In the NetNanny BioPassword world, it's seen as the process of making
sure that all systems must use the biometric processes, thus protecting
contamination from an "unprotected" system. In testing this product I
came across a couple of inconsistencies that I believed might cause some
problems. I discussed these with the BioPassword folks and received some
interesting replies.
First, in the documentation I ran into a discussion of secondary logon
and a potential need to disable the RunAs service. Though it didn't come
out and say that using RunAs would cause a problem, this certainly raised
a red flag. Immediately I logged on as myself and attempted to run Notepad
using one of the "chain saw" accounts and the appropriate password through
the RunAs service. I was successful. Logging off, I tried to log on using
the same account, and could not. Logging on as myself I then used RunAs
to attempt multiple tasks as one or the other of my chain saw buddies.
It worked every time. Whoops. The NetNanny folks didn't shirk my inquiry.
They admitted that it was an issue they are working on but in the meantime
recommend that administrators disable the RunAs service.
Second, I have multiple client machines in my test network. Since I only
loaded the client on one of them, I wanted to see what would happen when
I attempted to logon from one of the other, non-BioPassword protected
systems. Since no client was installed, and therefore the workstation
wouldn't be able to produce a template for comparison with the stored
one, I expected a simple denial of access even when using a legitimate
account. This was not the case. Logging on from an unprotected client
allowed access with just a user ID and password. I could—once I knew
the password—log on to any account. No biocontainment here. NetNanny
was quick to agree, and note that biocontainment will be possible in the
next release (4.6).
Assessment
This is a great product for a network, if you can survive with
RunAs disabled. It'll be even better when NetNanny resolves this issue.
Biocontainment on the non-client workstation issue will resolve that loophole.
Until then, only strict adherence to a manually implemented policy that
demands client installation on all workstations in the domain will help
you sleep at night.
The availability of a Windows XP client and Windows .NET Server product
are forthcoming. I'm looking forward to using BioPassword to protect remote
assistance access. (I could use it now to protect terminal services access
to my network from anywhere I might be.)
A standalone product is due for release shortly and this should be a
boon for those who wish to provide better security to workgroup desktops,
traveling laptops, and user owned machines that are used for work at home.
It should also receive strong acceptance in this group, as there is no
additional hardware to understand, damage, maintain, misuse or abuse.
In short, be aware of the issues. They can be showstoppers if not managed,
but then, so can widespread access to your network made possible by easy
to determine passwords and no additional protection.
An Interesting Curiosity:
VeriVoice Saves Keystrokes but Doesn't Enhance Security
I work at lot at a keyboard and have the stiff neck, sore fingers
and painful joints to prove it. I'm hoping someday to be able to do most
of my work by just talking to my computer. The makers of voice recognition
biometric software, however, are not trying to improve my physical health.
Instead, they hope to improve the health of your network by preventing
unauthorized access. They do so by identifying your unique voice. Some
of these systems require elaborate training and expensive hardware. Others
can exist on common desktop systems. Instead of entering a user ID and
password via the keyboard, you speak a predetermined catchphrase, or repeat
randomly selected phrases. If it's really you (or at least if the software
can determine that it's you) then you're in. Otherwise you're not.
VeriVoice is one such product but it's not meant as a foolproof network
or computer access system. Instead, it protects your password-protected
screensaver. Sort of. As you know, many Windows screenssavers can be turned
into password protected system lockouts with the check of a box. Idle
systems start the screensavers and only the possessor of the currently
logged on user account password can banish the screen saver and access
the desktop. After VeriVoice is installed, an attempt to access the screensaver
protected system asks for authentication via repetition of a VeriVoice
generated number.
Installation, Configuration and Testing
You can install VeriVoice on any Windows 2000 system. You do not
have to be in a domain, nor is your usage domain-dependent or restricted.
Running the installation (make sure your microphone is working!) sets
up the system and provides you the opportunity to "register" your voice.
You do so by repeating numerical phrases that are spoken to you and repeated
in a dialog box (see Figure 2). I found myself repeating the rhythms of
the voice, instead of my own natural ones. This turns out to be not a
good idea. When VeriVoice is through with you, you're thanked for registering.
 |
| Figure 2. VeriVoice registers your voice by having
you repeat numeric phrases. |
Next, select a screensaver and check the Password required box. When
the screensaver is activated, the system is locked. When you attempt to
access the system, VeriVoice requires you to repeat several numerical
phrases. From these, VeriVoice creates a template and attempts to match
it with the one saved during registration. A match lets you back on the
system.
Best Practices, Thoughts
Unfortunately, after three attempts at duplicating your voice print,
instead of denying access, VeriVoice gives you the opportunity to key
in your password and return to your desktop. In my mind, this invalidates
the reason for using VeriVoice in the first place and turns what could
be a valuable use of biometrics into little more than a curiosity. Remember,
I said that was my opinion. VeriVoice states that this is the way their
customers want the service to act. No one wants to potentially lose data
by having to reboot to regain access to a system. Besides, allowing only
the user back into a "locked" system goes against the normal
administrative access policy—if the Windows Lock Computer facility
is used instead of a password-protected screensaver, an administrator
can unlock the system. If VeriVoice denied this access, they would not
be supporting the Windows model.
Assessment
I'd say VeriVoice is useful for the end user who is forced to use
a locking screensaver, but annoyed at having to type in a password when
they return from lunch. It did make interesting conversation as my idle
system kept starting the screensaver while I spoke on the phone. Soon,
I found myself explaining to the caller that I was alone—even though
some woman and I were speaking in code. It may just be me, but I'd soon
be annoyed by the computer voice asking me to repeat the phrases and soon
be mumbling something, anything, three times so finally I could type in
my password and get on with it.
My Hamster Doesn't Have a Creaky Wheel:
Secugen EyeD Hamster and EyeD OptiMouse
My hamster doesn't have a creaky wheel to run on. Instead, he uses
optical components to scan my proffered finger and provide input to prove
my identity to server-side software. Fingerprint scanning for authentication
provides little comparison with the fingerprint matching done to identify
criminals. Instead of performing visual comparisons of the unique topography
of your digital extremities, the scanner maps a large number of data points
at distinctive markings and the distances between them. This information
is compared to previously stored sets recorded in the Active Directory
during your registration.
Unlike keystroke analysis or voice recognition, fingerprint-scanning
biometrics depends on hardware to collect the data. An assortment of mice,
keyboards, and other things you placed your fingers on or in are available.
SecuGen provided me with two: an optical mouse with a scanning window
where most thumbs are placed during mouse control, and a "hamster," a
black device roughly the size of two Zippo lighter that fit comfortably
in the palm of my hand. You can change your grip to place any of your
logon pods (otherwise known as fingertips) over the hamster's scanning
window. Once authenticated, you return it to your desktop until it's needed
again. Protocom SecureLogin V2 Windows 2000 domain authentication software
accompanied the mouse.
Installations, Configuration and Registration
Installation can be a little more difficult here. It's made more
so by the existence of a single executable on the installation CD-ROM
and a requirement for manual modification of the Active Directory Schema.
Much against my better judgment, but with no other choice, I started installation
before reading any documentation. Happily, I was then given the choice
to just install documentation. Documentation is copious, but a shortened
list of steps provided a simpler road path through it.
Step one requires modification of the AD schema. While the instructions
were excellent, this approach leaves much room for user error. A misstep
here could leave one with hours of troubleshooting only to find that the
new user attribute was incorrectly entered or never added to the user
object. I know I'm whining here; real nerds insist on doing their own
schema changes, shun Group and Local policies in favor of scripting their
own registry modifications and never ever use a GUI when a command prompt
will do. Still, I can't be the only one who feels I've paid these kind
of dues in the past. Just let the install program do something I can easily
mess up, ok?
Next, the instructions include modifications at the BIOS level to support
parallel port usage by earlier devices. Since my new little buddies had
USB connectors at the other ends of their tails, I skipped this part.
Instead, I installed the software. Like most biometrics, you can't use
them until users register, and you can't register until you install the
hardware. SecuGen avoids the possible nightmare (install the hardware
and you may find yourself unable to logon because you haven't registered)
by allowing unregistered users to continue using their normal login procedures.
Hardware installation merely requires connecting the creature to the
system. Windows 2000 notices the hardware change and loads the driver.
Finally, I was ready to register my fingers. SecureLogin provides a registration
utility. To run it you must be a member of the SecureLogin Adminstrators
group, a group created when the product is installed. Select a user account,
click the radio button corresponding to the digit to be registered, have
the user place that finger on the device, and click the register button.
An image of the finger print appears on the screen (see Figure 3). If
the image is acceptable, you're allowed to continue registering other
fingers. Incidentally, SecuGen advises you to have users register several
fingers. There's no guarantee that a finger roughened by gardening or
other physical work on the weekend will be a useful authentication tool
come Monday morning.
 |
| Figure 3. Feeding fingerprints to SecureLogin.
(Click image to view larger version.) |
Once registered, the user can use any registered finger to start the
authentication process, if it's acceptable, the first time authentication
also requires password entry. You can remove the password requirement.
Mouse or Hamster?
Unlike keystroke analysis, fingerprint scanning biometrics allows
you to choose the auxiliary device to use for entry. The EyeD Optimouse
looks almost exactly like any other mouse you may have. However, along
the left side of its ergonomic blue and white body is a window into its
soul, er, a plastic window on which to place a registered finger. It's
conveniently placed right where your thumb normally rests. Obviously,
if you have to use another finger, it's a little more awkward. Well, a
lot more awkward but can be done. Remember, this is only necessary for
authentication—you don't need to be able to continually point, click,
and present usable body parts at the same time. Incidentally, this thumb
position placement is perfectly aligned to solve one of the issues common
to most readers; when a fingerprint scanner is first used, it's difficult
to get the finger lined up to get a good print.
The EyeD Hamster sits upright on your desktop. Its slanted top provides
the plastic window. However, after some awkward but successful uses of
it in this position, I found it much easier to use when it I cradled the
device in the palm of my hand. Smokers from pre-BIC lighter times can
empathize here: I discovered this convenience when I realized I was absentmindedly
playing with the hamster as if it was a worry stone, or favorite lighter.
Once I noticed that it only took a few minutes to find comfortable, natural
ways to make the window accessible to any digit. I think it may just become
my favorite, biometrics and soul soothing in one small package—who
would have figured?
Issues
My SecuGen contact made sure he was available to answer any questions
and actually provided an answer to a question I hadn't asked yet. (Are
these guys psychic or what?) The big selling point of biometrics is that
it can replace or strengthen the typical user ID and password combination
by insisting on an authentication process which requires the presentation
of some biological evidence—perhaps a fingerprint, voice, retina
or iris scan, or keystroke pattern. Any implementation of biometrics therefore,
can have a fatal weakness. If a user can somehow go around the biometric
and use only my user ID and password, then adding the biometric layer
is useless. Can a user, for example, logon from a client machine that
does not have the software loaded and forego biometric authentication?
Can she use biometrics to logon to one account, but then use RunAs to
logon to another, sans biometrics? Before I had a chance to test it, SecuGen
provided the answer: Yes, well maybe, and here's what to do.
In normal operation, a workstation that does not have the client software
loaded will not allow a user to enter their normal user ID and password.
In normal operation, an authenticated user can use RunAs to run applications
as another user without the need for biometric authentication. That is,
if the user knows a valid account name and password, he can use that information
and the RunAs service to run applications. He will not be required to
present any biometric information (fingerprints) and there is no way to
force this to be required.
However, a simple adjustment can be made to close this hole and require
biometric authentication in order to successfully logon. A simple registry
key modification allows the product to change the user password to a unique
value each time the user logs on. This means that no registered user can
ever again logon using a password, because they don't know what the password
is. They cannot move to a workstation which does not have the client loaded.
While nothing prevents anyone from using the RunAs service, they will
be unsuccessful for the same reason: They do not know the password. While
a password-cracking program could potentially be used to obtain the password
offline, if the user is a frequent user of the system, the cracked password
is most likely useless as it has already changed
Remember, however, that there is nothing that will automatically require
all users to be registered. An unregistered user can still use a password.
Some of you may consider this a boon, as there are processes that require
the use of a password, so some administrative accounts may need to remain
unregistered. Others may see this as where all biometric products break
down—the biocontainment/ user registration issue. Indeed, if any account
is not registered, and I know that password, I can use it to logon.
The Eyes Have It:
Affordable iris scanning from Panasonic and Iridian
Most biometrics surveys agree: Iris scanning is the most accurate
biometric process. The iris, of course, is the colored circle around the
dark pupil of your eye. Each eye has a unique set of irises. To use iris
scanning a specialized camera is required. In the past that meant iris
scanning was too expensive for most networks and was, it was thought,
more suited to access control than for authentication on the network.
Like most other devices, iris-scanning cameras are no longer just for
high security situations. Still, the cost is twice that of other biometric
devices. A good iris-scanning camera costs about $300, while fingerprint
scanning devices are available for less than $100.
StrikeforceTechnologies Inc., www.strikeforcetech.com,
a Panasonic iris scanning camera dealer and integrator provided the camera
and software for this review. The camera is small (about the size of a
pack of cigarettes) and comes with its own stand. Setting the camera on
top of the monitor and tilting it helps to line it up with your eyes and
obtain the best capture.
Installation and Registration
Unlike some of the other products tested, this one comes with a
small insert that provides all of the information necessary to get up
and running. I was reminded of the instructions I got with my two-line,
fancy-smantz answering machine/telephone combo last week. (Funny, the
iris-scanning camera works, and the phone doesn't, but that may say more
about which technology I have more interest in.) It is however, extraordinarily
easy to lock yourself out of your computer if you're not the kind to follow
instructions. If you install all the software before the camera, the game
is over.
The proper process requires that you install the camera between the installation
of the two software products. So first I loaded the Private ID software.
This controls the camera. After I rebooted and plugged in the camera,
I tested its functioning using the provided utilities. This is not a bad
idea; because installing the authentication control software (SecureSuite)
on a system with a malfunctioning camera would be another way to lock
yourself out. To test system operation, you run a utility that tests the
video functions, illumination system, alignment, and that can perform
an iris capture. You can also use these utilities for user practice.
Next, during the install of the SecureSuite software (this configures
authentication) I was prompted to create a user account to administer
the suite. Interestingly I could not pick the built-in Administrator account,
nor could I later make that account a SecureSuite administrator. What's
more, after product installation I couldn't use the built-in administrator
account to login. Fortunately the new account identified as the SecureSuite
administrator was given membership in the local Administrators group.
After logging on as the SecureSuite Administrator, I opened the SecureSuite
user manager. This utility allowed me to add Windows 2000 users and select
an authentication method for them. In my case, only password and iris
were available. If I had also installed a smart card reader, that would
also have been a choice. Each choice must be configured. Password entry
is, well, password entry—you type it and then type it again for confirmation.
A wizard is provided to help the recording of iris information. It turns
on the camera and waits for the user to line up his eye with the lens.
Once this is accomplished, a small orange circle of light just inside
the lens turns green and a sound like a camera click can be heard. The
user does not need to touch the camera. Four good shots are needed in
order to create a template (see Figure 4). Once both methods are complete
you can either require password and iris scanning, one or the other, or
insist on a single method. When only iris scanning is used, the user password
is changed every time the user authenticates. Knowing a password will
not allow access to the system.
 |
| Figure 4. Capturing iris scans to authenticate
a user. (Click image to view larger version.) |
My enrollment process was, I understand, typical for a new user. At first
I had trouble lining up my eye with the camera—it won't snap the
picture until you're properly aligned. Next, I managed to get four shots,
but SecureSuite thought they were a little bit borderline and wouldn't
record them. Finally, I managed to obtain a good set. After logging off,
I used the three finger salute and was given the SecureSuite logon window.
Again, it took some false steps to manage logon as well. A short practice
time made my attempts more polished and more successful.
| Additional
Information |
| www.biometrics.org—Information
as well as multiple links to research, government requirements,
standards progress, vendors and general information.
http://www.computer.org/itpro/homepage/Jan_Feb/security3.htm—IEEE
Computer Society, "A Practical Guide to Biometric
Security Technology" includes a useful comparison
of biometrics product types over ease of use, error
incidence, accuracy, cost, user acceptance, required
security level and long term stability.
http://www.cesg.gov.uk/technology/biometrics/media/Biometrics
%20Advice.pdf—"Advice on the Selection
of Biometric Products"
http://www.sciam.com/1999/1299issue/1299techbus5.html—"Seen
Before—To guard against terrorism the Pentagon
looks to image recognition technology," an interesting
article on the use of biometrics for covert activity.
http://www.biometricgroup.com/—Site
of International Biometric Group, a consulting and integration
firm with much practical information and reports.
|
|
|
Best Practices and Issues
This product moves iris-scanning into a viable product for many businesses.
However, to enforce policy, and provide better security for the network,
you should either remove the use of a password or ensure that users must
use both iris scanning and a password to access any station. In the former
case you'll lose the use of RunAs, in the later you may find more problems
with user acceptance.