Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Two-Factor Authentication: Quick Poll

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 28 Feb 2012 09:34:36 -0500
We ran into this limitation in our evaluations too. RDP would honor the policy requiring 
2-factor but not SMB/RPC oriented sessions like remote scripting which is
what we were trying to protect to prevent automated and instant domain wide compromise 
from a worm or compromised administrator account.
So SSH/RDP interactive terminal sessions are protected but not utility sessions. 
I wonder if 2-factor is equally ineffective with linux services like NFS and
rsh (and do I dare compare those with SMB and remote scripting).





Joel Rosenblatt wrote:
The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password and they can access your server without every having to enter in the pin from the token
Once we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it didn't make any sense to force them to type in the pin when what we were really trying to stop was network breakins. 

They are effective for protecting Macs

Joel
--On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman <ingerman () vassar edu> wrote:
What about using a hardware token for windows servers? We use them for local admin access on our Widows and Mac computers. 

  --Bret

Sent from my iPad

On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:
We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log into a windows system from the network without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of your servers to log in, you are using 
"Security Theater" to protect your windows systems.
It (second factor) is effective if you have another choke point (like a database login) that uses the second factor, and it is effective to prevent 
unauthorized logins to Unix/Linux systems.

My 2 cents,
Joel
--On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote: 


Hi All,

Quick Poll Please:
1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in 
remotely)?

2         Do you think you should?

Thanks!

[cid:image001.gif@01CCF527.C41F7F70]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>
University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/>
Confidentiality Note: This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited. 





Joel Rosenblatt, Director, Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3






Joel Rosenblatt, Director, Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3



--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: