Educause Security Discussion mailing list archives
Re: Two-Factor Authentication: Quick Poll
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 28 Feb 2012 09:34:36 -0500
We ran into this limitation in our evaluations too. RDP would honor the policy requiring
2-factor but not SMB/RPC oriented sessions like remote scripting which iswhat we were trying to protect to prevent automated and instant domain wide compromise
from a worm or compromised administrator account.So SSH/RDP interactive terminal sessions are protected but not utility sessions.
I wonder if 2-factor is equally ineffective with linux services like NFS and rsh (and do I dare compare those with SMB and remote scripting). Joel Rosenblatt wrote:
The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password and they can access your server without every having to enter in the pin from the tokenOnce we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it didn't make any sense to force them to type in the pin when what we were really trying to stop was network breakins.They are effective for protecting Macs Joel--On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman <ingerman () vassar edu> wrote:What about using a hardware token for windows servers? We use them for local admin access on our Widows and Mac computers.--Bret Sent from my iPad On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log into a windows system from the network without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of your servers to log in, you are using"Security Theater" to protect your windows systems.It (second factor) is effective if you have another choke point (like a database login) that uses the second factor, and it is effective to preventunauthorized logins to Unix/Linux systems. My 2 cents, Joel--On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote:Hi All, Quick Poll Please:1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging inremotely)? 2 Do you think you should? Thanks! [cid:image001.gif@01CCF527.C41F7F70] :: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/>Confidentiality Note: This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.Joel Rosenblatt, Director, Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3Joel Rosenblatt, Director, Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Two-Factor Authentication: Quick Poll, (continued)
- Re: Two-Factor Authentication: Quick Poll Christopher Jones (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Hugh Burley (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Rich Graves (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Thornton, Dallas (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Sarazen, Daniel (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Schumacher, Adam J. (Mar 02)
- Re: Two-Factor Authentication: Quick Poll Thornton, Dallas (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Gary Flynn (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Sarazen, Daniel (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Gary Flynn (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Chris Green (Feb 29)
- Re: Two-Factor Authentication: Quick Poll Ahsan Mir (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Message not available
- Re: Two-Factor Authentication: Quick Poll Dexter Caldwell (Feb 28)