Re: Stanford break in

[Carric Dooley <carric () com2usa com>]

Here's my take..

On Wed, 21 Apr 2004, Chuck Vose wrote:

> The break in at Stanford and other high level super-computing schools
> prompted a question about NIS. 
>
> When dealing with any kind of networked password database, such as NIS
> or Active Directory, how does one ensure that accounts aren't stolen. It
> seems like when an account is lost, it's lost on every single computer
> on the network instead of just one machine. 
>
> 1. Are network synchronized passwords a bad idea, considering the
> normally lax stance on security that many corporations have?

Network synced passwords are the only way to manage a large number of 
users. If you have 10 workstations and 1 server, it might be fine to have 
no network directory, but with 300,000 users, I would say it's impossible. 
I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the 
conspicuous absence of NIS, and I wanted to leave out AD, but it seems to 
be unavoidable these days.

> 2. Aside from running Jack the Ripper regularly on the passwords and
> ensuring that passwords are strong, what are some methods to ensure
> physical and logical security of accounts (ie: yellow stickies are the
> hidden treasure for a disgruntled employee). Any generalized concepts?

JOHN the Ripper, Rainbow Crack or L0phtcrack could be PART of the process,
but it would make more sense to enforce strong passwords when the user
sets them. Decide on password guidelines like alpha-numeric, mixed case,
and one special character, and leave it to a dll like passfilt.dll or
something similar. Yellow stickies just comes down to end-user education,
and a good password policy. If the requirements are: "14 random
alpha-numeric chars, with 5 special chars and mixed case.. OH, and change
it weekly" you will most likely have a sticky note problem.. if it's: "7
chars, alpha-numeric, one special char and mixed case changing every 42
days, and HERE are 6 examples of good passwords", you could make some 
progress... it really comes down to a good security program that includes 
the security organization, and a well-crafted, enforced security policy.

> 3. In an Active Directory domain, allowing access to all computers is
> obviously a bad idea, but is this what the majority of admins do?
> Authenticate with the server, but only allow access to one workstation.
> I've never had to do this on a large scale, is it as time consuming as
> it seems that it might be or are there tools that make this easier?
AD, LDAP, NDS all give you the ability to control access through context. 
In other words, if the tree is well designed, a user cannot access all 
servers on the network. Access to "a workstation" would be somewhat 
useless in a client server network... users need to be able to get to 
servers, but only those required to do their jobs, which is pretty much 
the underlying principal to data confidentiality in the CIA 
(confidentiality, integrity, availability) data security model. This again 
goes back to whether or not an enforced policy allows network 
administrators to create a flat tree... you COULD even do it if all you 
have is something like domains using resource domains, with multiple 
masters, and creating infinite one-way trust relationships, but the level 
of pain that would entail would discourage most sane people.


> I know that this is 3 disparate topics, would list etiquette suggest
> that I should make 3 topics?
>
> Thank you,
> Chuck
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards