Educause Security Discussion mailing list archives
Re: Two-Factor Authentication: Quick Poll
From: Ahsan Mir <asmir () DONS USFCA EDU>
Date: Thu, 1 Mar 2012 00:41:24 -0800
I usually do not comment since I do not work for an EDU anymore. However I been involved in a number of 2FA initiatives and might be able to provide some information which might be useful. Passwords are pretty much useless, with most users edu users browsing the web as atleast local admin, it is just a matter of time that your admin credentials will be compromised, if they already are not out there. Most organizations do not have the ability to identify active intrusions and therefore Sent from my iPhone On Feb 28, 2012, at 6:34 AM, Gary Flynn <flynngn () JMU EDU> wrote:
We ran into this limitation in our evaluations too. RDP would honor the policy requiring 2-factor but not SMB/RPC oriented sessions like remote scripting which is what we were trying to protect to prevent automated and instant domain wide compromise from a worm or compromised administrator account. So SSH/RDP interactive terminal sessions are protected but not utility sessions. I wonder if 2-factor is equally ineffective with linux services like NFS and rsh (and do I dare compare those with SMB and remote scripting). Joel Rosenblatt wrote:The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password and they can access your server without every having to enter in the pin from the token Once we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it didn't make any sense to force them to type in the pin when what we were really trying to stop was network breakins. They are effective for protecting Macs Joel --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman <ingerman () vassar edu> wrote:What about using a hardware token for windows servers? We use them for local admin access on our Widows and Mac computers. --Bret Sent from my iPad On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log into a windows system from the network without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of your servers to log in, you are using "Security Theater" to protect your windows systems. It (second factor) is effective if you have another choke point (like a database login) that uses the second factor, and it is effective to prevent unauthorized logins to Unix/Linux systems. My 2 cents, Joel --On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote:Hi All, Quick Poll Please: 1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)? 2 Do you think you should? Thanks! [cid:image001.gif@01CCF527.C41F7F70] :: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/> Confidentiality Note: This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.Joel Rosenblatt, Director, Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3Joel Rosenblatt, Director, Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3-- Gary Flynn Security Engineer James Madison University
Current thread:
- Re: Two-Factor Authentication: Quick Poll, (continued)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Re: Two-Factor Authentication: Quick Poll Gary Flynn (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Sarazen, Daniel (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Gary Flynn (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Chris Green (Feb 29)
- Re: Two-Factor Authentication: Quick Poll Ahsan Mir (Mar 01)
- Re: Two-Factor Authentication: Quick Poll Bret Ingerman (Feb 27)
- Message not available
- Re: Two-Factor Authentication: Quick Poll Dexter Caldwell (Feb 28)
- Re: Two-Factor Authentication: Quick Poll Joel Rosenblatt (Feb 27)