Re: stopping students sharing their login credentials

["Rappaport,Jason" <jbr32 () DREXEL EDU>]

Ray -  in some of our labs we had an issue with students from other
colleges using our labs that forced us to limit access to our MAC labs.
We ended up implementing a custom script that not only would allow
authorized students to log onto the computers, but also limited them to
one logon per machine program; e.g. only one logon per the five Graphic
Design labs.  If anyone is interested in this script I would be willing
to share it with them; send me a private message.  

Thanks, Jay


__________________________________
Jay Rappaport
jasonrap () drexel edu  
215.895.1680 office
215.895.6447 fax
Systems Administrator
Microsoft Certified Professional
Six Sigma Green Belt Certified
Antoinette Westphal College of Media Arts and Design - Design & Imaging
Studios
Drexel University
http://drexel.edu/westphal

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ray Strubinger
Sent: Friday, January 23, 2009 9:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] stopping students sharing their login
credentials

Depending on your environment, there may be a technical control to
compliment your educational efforts.

If there's no legitimate reason to be logged in to more than one system
simultaneously, see if your authentication system can limit the number
of simultaneous logins.  If your authentication system doesn't
specifically allow you to prevent simultaneous access, then one solution
I've seen is to have a script watch for login events from multiple
locations for the same user.  The script alerted a human who then cut
access.

-Ray

Russell Fulton wrote:
> Background:
>
> Earlier this week we had an incident where the building security 
> officer noticed a group of unfamiliar people using machines in one of
our labs.
> She asked them for their ID cards and none could (would?) produce one.

> On questioning they said they were students from a neighbouring 
> institution and that they were using "borrowed" credential.
>
> We have cctv footage and swipe card logs from the door (which may show

> they tail gated someone in).   We are now tracking down which machines

> were being used so we can disable the accounts.
>
> To the point.
>
> We (the security techies) have been asked what measures we can deploy 
> to prevent this sort of thing happening in future.
>
> We already do lots of education, posters, page on the back of the 
> student handbook. Students have no excuse for not knowing that they 
> should not share passwords.
>
> On the social/education side we could make an example of anyone we 
> finger for this (assuming we can make charges stick) in the hope that 
> this will persuade other students not to share their passwords.
>
> Technical solutions seem to revolve around some form of two factor 
> authentication.  I.e. something the student has but which they will be

> reluctant to part with for any length of time.  Like their ID card.
>
> Our ID cards have bar codes and classic mag stripe.   Some labs (like 
> this one) also have proximity card locks.  Generally only post grad 
> students or students in special coursed (like medicine) have proximity

> cards.
>
> Anyway I would very much like to know what other are doing in this
space.
> Cheers, Russell


--
Ray Strubinger
Information Security Program Manager

Georgia Institute of Technology
OIT Information Security
258 Fourth St, Rich 222
Atlanta, Georgia 30332-0700
Phone:404-385-0334/Fax:404-385-2331