Re: Stanford break in

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 21 Apr 2004, Chuck Vose wrote:

> The break in at Stanford and other high level super-computing schools
> prompted a question about NIS.

IMO, NIS should have been drug out and shot years ago...

> When dealing with any kind of networked password database, such as NIS
> or Active Directory, how does one ensure that accounts aren't stolen. It
> seems like when an account is lost, it's lost on every single computer
> on the network instead of just one machine.

This is the risk of single-signon.  You have to balance that against the
administrative costs of individual accounts, most of which have the same
password.

Now, with single accounts, many systems will not have all accounts- but
setting up a single signon environment where that's true is generally
"harder" than just letting all accounts in.

> 1. Are network synchronized passwords a bad idea, considering the
> normally lax stance on security that many corporations have?

It really depends- overall cost-wise, single signon saves huge money in
support and work- and for most companies, the attacker pool is relatively
small- it's unfortunate that educational institutions still allow global
access to a large set of their systems *and* those systems use reusable
passwords.

> 2. Aside from running Jack the Ripper regularly on the passwords and
> ensuring that passwords are strong, what are some methods to ensure
> physical and logical security of accounts (ie: yellow stickies are the
> hidden treasure for a disgruntled employee). Any generalized concepts?

That doesn't help.  A strong password can be compromised, and is generally
written down- making compromise easy.  "Strong" passwords are not the
answer.

> 3. In an Active Directory domain, allowing access to all computers is
> obviously a bad idea, but is this what the majority of admins do?

Yes, and Yes.

> Authenticate with the server, but only allow access to one workstation.
> I've never had to do this on a large scale, is it as time consuming as
> it seems that it might be or are there tools that make this easier?

I'm not sure about the degree of administrative difficulty, hopefully
someone with Windows admin experience can answer that.

> I know that this is 3 disparate topics, would list etiquette suggest
> that I should make 3 topics?

Nah, the moderator would have bounced it if he'd thought it wasn't ok ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards