Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Distributing initial credential

From: Scott Stoops <sstoops () ASHLAND EDU>
Date: Wed, 10 Apr 2019 16:10:35 -0400
We are not taking on a full blown IAM initiative at this time. At present
we are using a home grown process. We do have an SSPR (not Microsoft) and
do not use MFA at present. We have moved to a process that creates all user
accounts (student, faculty, staff) with a random password that gets set
during account creation. We keep no record of this password and do not
attempt to communicate this. The username is communicated either through
the admissions process for students or through HR for faculty and staff. We
populate our SSPR with an alternate email address that the person has
access to. They are then required to finish setting up their account by
going to the SSPR and essentially resetting their password using the
alternate email we have on file for them. (They cannot change this email
through the SSPR tool.)

In doing things this way we are not communicating a default password or
anything to indicate what that password might be. Since the password is set
during account creation and not stored no one, including the folks in IT,
know what that password is. This also gives us the opportunity to get
people enrolled in the tool properly so that they can use other mechanisms
for resetting passwords in the future.
--------------------------------------------------------------------------------------------------
Scott Stoops, CISSP
Security Analyst II
Office of Information Technology | 100 Patterson Technology Center
Ashland, OH 44805
(w) 419-289-5405
sstoops () ashland edu


On Wed, Apr 10, 2019 at 3:10 PM Colin Abbott <colin.abbott () mcgill ca> wrote:


Hello,



    We are undertaking an IAM initiative and part of the project is to
replace our current legacy process for provissioning active directory
accounts with a more secure process. I have been asked to poll the audience
and see what mechanism other universities are using for distributing the
initial credential especially if anyone is combining this process with
setting up SSPR (Microsoft self-service password reset) and MFA?



Thanks

Colin Abbott, CISSP, CCSP | IT Security Architect  | McGill University |
Network and Communication Services | 514-398-5070
Previous By Date Next
Previous By Thread Next

Current thread: