Educause Security Discussion mailing list archives

Re: Secure Password Distribution for Exchange Migration

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 8 Dec 2011 13:29:16 -0500

Hi,

If you are running Kerberos, we have code that syncs our AD to our Kerberos system .. I'm checking to see if we can share this. We run Cyrus for about 80,000users and Exchange for about 3,000


My suggestion would be to sync all of the passwords - that way you really don't have to do much of anything.

My 2 cents

Joel

--On Thursday, December 08, 2011 9:27 AM -0600 David Treble <dtreble () CC UMANITOBA CA> wrote:

We are in the process of migrating 7500 staff accounts from Cyrus Mail
to Exchange.  There has been some debate on the migration team on how
best to handle the password distribution.

Issues creating some complexity to the problem (politics/staffing/budget
are at play here):

- we don't have a mature AD infrastructure in place (currently on
Netware).  AD accounts will be created and then mail enabled just prior
to the migration.  The full AD migration for desktop file/print is Phase
2. (probably should have been Phase 1)

- the AD adapter for our Sunguard Identity Mgmt system which would allow
self-service resets or password synch will not be ready until mid or
late in the migration

- aggressive timeline for migration 7500 accounts (3 months) potentially
100+ accounts per day

- Help Desk cannot process 100+ password resets per day with current
staffing (10 minute avg per call)

Options

1. Seed AD account with random password, hand deliver sealed envelope by
unit Computer Rep just prior or at the time of migration.

2. Seed AD account with known value (ie DOB 12Mar1965 or Emp# umE123456)

3. Trust Faculty/Unit Rep with list of passwords for users in their area.

4. Decrypt users Cyrus mail password and migrate that to AD/Exchange

5. Force all users to call Help Desk for password reset

User would change password in OWA as part of the migration checklist.

We would appreciate any feedback or suggestions for other options if
you've gone through a similar migration.

Regards,
DT


--
+++++++++++++++++++++++++++++++++++++++
David Treble    IT Security Coordinator
E3-640 EITC     University of Manitoba
dtreble () cc umanitoba ca -- 204.474.8340

     Follow @uminfosec on Twitter
Ask me about the Infosec Mailing List!
http://blogs.cc.umanitoba.ca/ist-alerts/
+++++++++++++++++++++++++++++++++++++++




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

Current thread:

Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
  - security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
    - Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
    - FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)