Educause Security Discussion mailing list archives
Re: Secure Password Distribution for Exchange Migration
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 8 Dec 2011 13:29:16 -0500
Hi,If you are running Kerberos, we have code that syncs our AD to our Kerberos system .. I'm checking to see if we can share this. We run Cyrus for about 80,000 users and Exchange for about 3,000
My suggestion would be to sync all of the passwords - that way you really don't have to do much of anything. My 2 cents Joel --On Thursday, December 08, 2011 9:27 AM -0600 David Treble <dtreble () CC UMANITOBA CA> wrote:
We are in the process of migrating 7500 staff accounts from Cyrus Mail to Exchange. There has been some debate on the migration team on how best to handle the password distribution. Issues creating some complexity to the problem (politics/staffing/budget are at play here): - we don't have a mature AD infrastructure in place (currently on Netware). AD accounts will be created and then mail enabled just prior to the migration. The full AD migration for desktop file/print is Phase 2. (probably should have been Phase 1) - the AD adapter for our Sunguard Identity Mgmt system which would allow self-service resets or password synch will not be ready until mid or late in the migration - aggressive timeline for migration 7500 accounts (3 months) potentially 100+ accounts per day - Help Desk cannot process 100+ password resets per day with current staffing (10 minute avg per call) Options 1. Seed AD account with random password, hand deliver sealed envelope by unit Computer Rep just prior or at the time of migration. 2. Seed AD account with known value (ie DOB 12Mar1965 or Emp# umE123456) 3. Trust Faculty/Unit Rep with list of passwords for users in their area. 4. Decrypt users Cyrus mail password and migrate that to AD/Exchange 5. Force all users to call Help Desk for password reset User would change password in OWA as part of the migration checklist. We would appreciate any feedback or suggestions for other options if you've gone through a similar migration. Regards, DT -- +++++++++++++++++++++++++++++++++++++++ David Treble IT Security Coordinator E3-640 EITC University of Manitoba dtreble () cc umanitoba ca -- 204.474.8340 Follow @uminfosec on Twitter Ask me about the Infosec Mailing List! http://blogs.cc.umanitoba.ca/ist-alerts/ +++++++++++++++++++++++++++++++++++++++
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Current thread:
- Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)