Re: Two-Factor Authentication: Quick Poll

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Take a look at GULP

<http://www.educause.edu/Resources/GULPDoYouKnowWhoYourUsersAreRe/203113>

We use it where it works (su command prompts for RSA token pin) and don't use it where it doesn't work

Joel

--On Tuesday, February 28, 2012 9:37 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote:

> Thanks for the feedback. If you don't use two-factor, what do you do?
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
> Flynn
> Sent: Tuesday, February 28, 2012 9:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Two-Factor Authentication: Quick Poll
>
> We ran into this limitation in our evaluations too. RDP would honor the
> policy requiring
> 2-factor but not SMB/RPC oriented sessions like remote scripting which is
> what we were trying to protect to prevent automated and instant domain
> wide compromise
> from a worm or compromised administrator account.
>
> So SSH/RDP interactive terminal sessions are protected but not utility
> sessions.
> I wonder if 2-factor is equally ineffective with linux services like NFS and
> rsh (and do I dare compare those with SMB and remote scripting).
>
>
>
>
>
> Joel Rosenblatt wrote:
> > The problem is that if the bad guys can get network access to your
> > server, all they need is a valid ID and Password and they can access
> > your server without every having to enter in the pin from the token
> >
> > Once we verified that this was the case, we stopped using our RSA
> > tokens for the windows administrators ... it didn't make any sense to
> > force them to type in the pin when what we were really trying to stop
> > was network breakins.
> >
> > They are effective for protecting Macs
> >
> > Joel
> >
> > --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman
> > <ingerman () vassar edu> wrote:
> >
> > > What about using a hardware token for windows servers?  We use them
> > > for local admin access on our Widows and Mac computers.
> > >
> > >   --Bret
> > >
> > > Sent from my iPad
> > >
> > > On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:
> > >
> > > > We do, but only for Unix admins - it turns out that it is provides
> > > > no extra security for Windows ... you can log into a windows system
> > > > from the network
> > > > without the second factor, so unless your worried about the bad guys
> > > > coming onto campus and sitting in front of your servers to log in,
> > > > you are using
> > > > "Security Theater" to protect your windows systems.
> > > >
> > > > It (second factor) is effective if you have another choke point
> > > > (like a database login) that uses the second factor, and it is
> > > > effective to prevent
> > > > unauthorized logins to Unix/Linux systems.
> > > >
> > > > My 2 cents,
> > > > Joel
> > > >
> > > > --On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel"
> > > > <dsarazen () UMASSP EDU> wrote:
> > > >
> > > > > Hi All,
> > > > >
> > > > > Quick Poll Please:
> > > > >
> > > > >
> > > > > 1         Is your campus using, or does it plan to use, Two-Factor
> > > > > authentication for its most privileged users (e.g., system
> > > > > administrators logging in
> > > > > remotely)?
> > > > >
> > > > > 2         Do you think you should?
> > > > >
> > > > > Thanks!
> > > > >
> > > > > [cid:image001.gif@01CCF527.C41F7F70]
> > > > >
> > > > > :: Daniel Sarazen, CISSP, CISA
> > > > > :: Senior Information Technology Auditor
> > > > > :: University Internal Audit
> > > > > :: University of Massachusetts President's Office
> > > > >
> > > > > :: 774-455-7558
> > > > > :: 781-724-3377 Cell
> > > > > :: 774-455-7550 Fax
> > > > > :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>
> > > > >
> > > > > University of Massachusetts : 333 South St. : Suite 450 :
> > > > > Shrewsbury, MA 01545 :
> > > > > www.massachusetts.edu<http://www.massachusetts.edu/>
> > > > >
> > > > >
> > > > > Confidentiality Note:  This email is intended for the exclusive use
> > > > > of the addressee(s) and may contain proprietary, confidential or
> > > > > privileged information.
> > > > > If you are not the intended recipient(s), any dissemination, use,
> > > > > distribution or copying is strictly prohibited.
> > > >
> > > >
> > > >
> > > > Joel Rosenblatt, Director, Network & Computer Security
> > > > Columbia Information Security Office (CISO)
> > > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > > http://www.columbia.edu/~joel
> > > > Public PGP key
> > > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> >
> >
> >
> > Joel Rosenblatt, Director, Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> > Public PGP key
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> --
> Gary Flynn
> Security Engineer
> James Madison University



Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3