Re: Two-Factor Authentication: Quick Poll

[Ahsan Mir <asmir () DONS USFCA EDU>]

I usually do not comment since I do not work for an EDU anymore. However I been involved in a number of 2FA initiatives 
and might be able to provide some information which might be useful.

Passwords are pretty much useless, with most users edu users browsing the web as atleast local admin, it is just a 
matter of time that your admin credentials will be compromised, if they already are not out there. Most organizations 
do not have the ability to identify active intrusions and therefore  


Sent from my iPhone

On Feb 28, 2012, at 6:34 AM, Gary Flynn <flynngn () JMU EDU> wrote:

> We ran into this limitation in our evaluations too. RDP would honor the policy requiring
> 2-factor but not SMB/RPC oriented sessions like remote scripting which is
> what we were trying to protect to prevent automated and instant domain wide compromise
> from a worm or compromised administrator account.
>
> So SSH/RDP interactive terminal sessions are protected but not utility sessions.
> I wonder if 2-factor is equally ineffective with linux services like NFS and
> rsh (and do I dare compare those with SMB and remote scripting).
>
>
>
>
>
> Joel Rosenblatt wrote:
> > The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password 
> > and they can access your server without every having to enter in the pin from the token
> >
> > Once we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it 
> > didn't make any sense to force them to type in the pin when what we were really trying to stop was network breakins.
> >
> > They are effective for protecting Macs
> >
> > Joel
> >
> > --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman <ingerman () vassar edu> wrote:
> >
> > > What about using a hardware token for windows servers?  We use them for local admin access on our Widows and Mac 
> > > computers.
> > >
> > >  --Bret
> > >
> > > Sent from my iPad
> > >
> > > On Feb 27, 2012, at 7:22 PM, Joel Rosenblatt <joel () COLUMBIA EDU> wrote:
> > >
> > > > We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log 
> > > > into a windows system from the network
> > > > without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of 
> > > > your servers to log in, you are using
> > > > "Security Theater" to protect your windows systems.
> > > >
> > > > It (second factor) is effective if you have another choke point (like a database login) that uses the second 
> > > > factor, and it is effective to prevent
> > > > unauthorized logins to Unix/Linux systems.
> > > >
> > > > My 2 cents,
> > > > Joel
> > > >
> > > > --On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" <dsarazen () UMASSP EDU> wrote:
> > > >
> > > > > Hi All,
> > > > >
> > > > > Quick Poll Please:
> > > > >
> > > > >
> > > > > 1         Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users 
> > > > > (e.g., system administrators logging in
> > > > > remotely)?
> > > > >
> > > > > 2         Do you think you should?
> > > > >
> > > > > Thanks!
> > > > >
> > > > > [cid:image001.gif@01CCF527.C41F7F70]
> > > > >
> > > > > :: Daniel Sarazen, CISSP, CISA
> > > > > :: Senior Information Technology Auditor
> > > > > :: University Internal Audit
> > > > > :: University of Massachusetts President's Office
> > > > >
> > > > > :: 774-455-7558
> > > > > :: 781-724-3377 Cell
> > > > > :: 774-455-7550 Fax
> > > > > :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>
> > > > >
> > > > > University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
> > > > > www.massachusetts.edu<http://www.massachusetts.edu/>
> > > > >
> > > > >
> > > > > Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain 
> > > > > proprietary, confidential or privileged information.
> > > > > If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.
> > > >
> > > >
> > > >
> > > > Joel Rosenblatt, Director, Network & Computer Security
> > > > Columbia Information Security Office (CISO)
> > > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > > http://www.columbia.edu/~joel
> > > > Public PGP key
> > > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> >
> >
> >
> > Joel Rosenblatt, Director, Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> > Public PGP key
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> -- 
> Gary Flynn
> Security Engineer
> James Madison University