Stanford break in

[Chuck Vose <vosechu () roman-fleuve com>]

The break in at Stanford and other high level super-computing schools
prompted a question about NIS. 

When dealing with any kind of networked password database, such as NIS
or Active Directory, how does one ensure that accounts aren't stolen. It
seems like when an account is lost, it's lost on every single computer
on the network instead of just one machine. 

1. Are network synchronized passwords a bad idea, considering the
normally lax stance on security that many corporations have?

2. Aside from running Jack the Ripper regularly on the passwords and
ensuring that passwords are strong, what are some methods to ensure
physical and logical security of accounts (ie: yellow stickies are the
hidden treasure for a disgruntled employee). Any generalized concepts?

3. In an Active Directory domain, allowing access to all computers is
obviously a bad idea, but is this what the majority of admins do?
Authenticate with the server, but only allow access to one workstation.
I've never had to do this on a large scale, is it as time consuming as
it seems that it might be or are there tools that make this easier?

I know that this is 3 disparate topics, would list etiquette suggest
that I should make 3 topics?

Thank you,
Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards