Educause Security Discussion mailing list archives

Re: Secure Password Distribution for Exchange Migration

From: Rob Whalen <rwhalen () STMARYS-CA EDU>
Date: Fri, 9 Dec 2011 09:53:02 -0800

David,
We have used IDMmanager from Novell to sync our LDAP, eDirectory, and AD. My
understanding is the AD channel sync pretty much works out of the box,
unless you need special rules for changing attributes. If you would like to
chat email me: rwhalen () stmarys-ca edu
Rob Whalen, Network Analyst
Saint Mary's College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Treble
Sent: Thursday, December 08, 2011 7:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure Password Distribution for Exchange Migration

We are in the process of migrating 7500 staff accounts from Cyrus Mail to
Exchange.  There has been some debate on the migration team on how best to
handle the password distribution.

Issues creating some complexity to the problem (politics/staffing/budget are
at play here):

- we don't have a mature AD infrastructure in place (currently on Netware).
AD accounts will be created and then mail enabled just prior to the
migration.  The full AD migration for desktop file/print is Phase 2.
(probably should have been Phase 1)

- the AD adapter for our Sunguard Identity Mgmt system which would allow
self-service resets or password synch will not be ready until mid or late in
the migration

- aggressive timeline for migration 7500 accounts (3 months) potentially
100+ accounts per day

- Help Desk cannot process 100+ password resets per day with current
staffing (10 minute avg per call)

Options

1. Seed AD account with random password, hand deliver sealed envelope by
unit Computer Rep just prior or at the time of migration.

2. Seed AD account with known value (ie DOB 12Mar1965 or Emp# umE123456)

3. Trust Faculty/Unit Rep with list of passwords for users in their area.

4. Decrypt users Cyrus mail password and migrate that to AD/Exchange

5. Force all users to call Help Desk for password reset

User would change password in OWA as part of the migration checklist.

We would appreciate any feedback or suggestions for other options if you've
gone through a similar migration.

Regards,
DT


-- 
+++++++++++++++++++++++++++++++++++++++
David Treble    IT Security Coordinator
E3-640 EITC     University of Manitoba
dtreble () cc umanitoba ca -- 204.474.8340

     Follow @uminfosec on Twitter
Ask me about the Infosec Mailing List!
http://blogs.cc.umanitoba.ca/ist-alerts/
+++++++++++++++++++++++++++++++++++++++

Current thread:

Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
  - security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
    - Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
    - FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
    - Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)