Firewall Wizards mailing list archives
Re: Stanford break in
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 22 Apr 2004 07:58:55 -0400 (EDT)
On Wed, 21 Apr 2004, Chuck Vose wrote:
The break in at Stanford and other high level super-computing schools prompted a question about NIS.
IMO, NIS should have been drug out and shot years ago...
When dealing with any kind of networked password database, such as NIS or Active Directory, how does one ensure that accounts aren't stolen. It seems like when an account is lost, it's lost on every single computer on the network instead of just one machine.
This is the risk of single-signon. You have to balance that against the administrative costs of individual accounts, most of which have the same password. Now, with single accounts, many systems will not have all accounts- but setting up a single signon environment where that's true is generally "harder" than just letting all accounts in.
1. Are network synchronized passwords a bad idea, considering the normally lax stance on security that many corporations have?
It really depends- overall cost-wise, single signon saves huge money in support and work- and for most companies, the attacker pool is relatively small- it's unfortunate that educational institutions still allow global access to a large set of their systems *and* those systems use reusable passwords.
2. Aside from running Jack the Ripper regularly on the passwords and ensuring that passwords are strong, what are some methods to ensure physical and logical security of accounts (ie: yellow stickies are the hidden treasure for a disgruntled employee). Any generalized concepts?
That doesn't help. A strong password can be compromised, and is generally written down- making compromise easy. "Strong" passwords are not the answer.
3. In an Active Directory domain, allowing access to all computers is obviously a bad idea, but is this what the majority of admins do?
Yes, and Yes.
Authenticate with the server, but only allow access to one workstation. I've never had to do this on a large scale, is it as time consuming as it seems that it might be or are there tools that make this easier?
I'm not sure about the degree of administrative difficulty, hopefully someone with Windows admin experience can answer that.
I know that this is 3 disparate topics, would list etiquette suggest that I should make 3 topics?
Nah, the moderator would have bounced it if he'd thought it wasn't ok ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- Re: Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Darren Reed (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 22)
- Re: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Laura Taylor (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Chuck Vose (Apr 22)
- RE: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- Re: Stanford break in R. DuFresne (Apr 22)
- Re: Stanford break in Paul D. Robertson (Apr 22)