Educause Security Discussion mailing list archives
Live@edu tenants: Better Security Reporting from MS
From: Martin Manjak <mmanjak () ALBANY EDU>
Date: Fri, 30 Sep 2011 10:18:41 -0400
This is a query to those of you who have migrated all, or a portion, of your email service to MS Live@edu cloud service and a request for your comments to judge whether this issue should be elevated to the level of a concern on the part of the .edu community with MS. Case Study If you have made the move, or are preparing to make the move, you will know that provisioning AD accounts for your user population greatly facilitates the accounts provisioning and management process for the migration to Live. Here's the concern I have: Our faculty, staff, and students will continue to be subject to phishing attacks. MS employs a series of email thresholds that are used to throttle accounts. It performs no diagnostics and makes no distinction between abusive/ignorant account holders and compromised accounts used to send spam. In the past, in our environment, the damage an attacker could perpetrate with compromised credentials was for the most part limited to our Unix cluster. (That's where our students had their accounts/email service.) And we had good visibility into these incidents. Now however, a compromised Live password mean a compromised AD account. AD is used to manage access to a wide range of resources on our campus (shares, calendars, VPN access, etc.) MS does not send any kind of notice to the tenant institution when it suspends a Live account for exceeding its mail limits, so we have no visibility into these incidents. So here's the hypothetical: A staff member has their account compromised. MS suspends the ability to send mail from their Live account for 24 hours. No notification of this is sent to the tenant. The account owner won't know if they don't log in. The employee goes home for the weekend. The AD account is still active within the domain. Now there a set of compromised AD credentials in the possession of an unauthorized individual or group, and neither the institution or the owner are aware of this, and may not become aware of it for a few days under certain circumstances (e.g., the owner doesn't try to send messages during the 24 hour suspension period, so nothing appears to be wrong from their perspective). I'm hoping that MS will reconsider its lack of reporting of account suspensions to tenant colleges and universities, but that depends to a great extent on how much of a concern this it to its other .edu tenants. So does this bother you as much as it bothers me? Marty -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Current thread:
- Live@edu tenants: Better Security Reporting from MS Martin Manjak (Sep 30)