Re: Two-Factor Authentication: Quick Poll

[Bret Ingerman <ingerman () VASSAR EDU>]

Actually, I meant a token that needs to be in the USB port.  We use something called SecureID which is a hardware town 
that must be in the USB port in order to log in as admin.  Of course this means that admins must be a the machine...so 
it may not be worth the trade off.

  --Bret

Sent from my iPad

On Feb 27, 2012, at 7:50 PM, Joel Rosenblatt <joel () columbia edu> wrote:

> The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password 
> and they can access your server without every having to enter in the pin from the token
>
> Once we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it didn't 
> make any sense to force them to type in the pin when what we were really trying to stop was network breakins.
>
> They are effective for protecting Macs
>
> Joel
>
> --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman <ingerman () vassar edu> wrote:
>
> > What about using a hardware token for windows servers?  We use them for local admin access on our Widows and Mac 
> > computers.
> >
> >  --Bret
> >
> > Sent from my iPad
> >
> > On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:
> >
> > > We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log 
> > > into a windows system from the network
> > > without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of 
> > > your servers to log in, you are using
> > > "Security Theater" to protect your windows systems.
> > >
> > > It (second factor) is effective if you have another choke point (like a database login) that uses the second 
> > > factor, and it is effective to prevent
> > > unauthorized logins to Unix/Linux systems.
> > >
> > > My 2 cents,
> > > Joel
> > >
> > > --On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote:
> > >
> > > > Hi All,
> > > >
> > > > Quick Poll Please:
> > > >
> > > >
> > > > 1         Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users 
> > > > (e.g., system administrators logging in
> > > > remotely)?
> > > >
> > > > 2         Do you think you should?
> > > >
> > > > Thanks!
> > > >
> > > > [cid:image001.gif@01CCF527.C41F7F70]
> > > >
> > > > :: Daniel Sarazen, CISSP, CISA
> > > > :: Senior Information Technology Auditor
> > > > :: University Internal Audit
> > > > :: University of Massachusetts President's Office
> > > >
> > > > :: 774-455-7558
> > > > :: 781-724-3377 Cell
> > > > :: 774-455-7550 Fax
> > > > :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>
> > > >
> > > > University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
> > > > www.massachusetts.edu<http://www.massachusetts.edu/>
> > > >
> > > >
> > > > Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain 
> > > > proprietary, confidential or privileged information.
> > > > If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.
> > >
> > >
> > >
> > > Joel Rosenblatt, Director, Network & Computer Security
> > > Columbia Information Security Office (CISO)
> > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > http://www.columbia.edu/~joel
> > > Public PGP key
> > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
>
> Joel Rosenblatt, Director, Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3