Re: Two Factor Windows Shares

[Rich Graves <rgraves () CARLETON EDU>]

> AD supports Token/client certificate based authentication.
> However once logged in things like "pass the hash" still work

OTP fobs for desktop login can be a good alternative to user-hostile password complexity rules, but they're not an 
additional network security layer. Depending on the threat/compliance goal, they could suffice. They (mostly) stop 
phishing and can be good answers to the "I'm going on vacation, here's my password" sort of problem.

Joe: Yeah, Samba clients and servers support wrapping the whole session in SSL, possibly with client certs. Windows 
clients, though, don't. I think Samba added this in the mid-90's just because they could.