Re: Stanford break in

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Chuck Vose, sie wrote:
> The break in at Stanford and other high level super-computing schools
> prompted a question about NIS. 
>
> When dealing with any kind of networked password database, such as NIS
> or Active Directory, how does one ensure that accounts aren't stolen. It
> seems like when an account is lost, it's lost on every single computer
> on the network instead of just one machine. 
>
> 1. Are network synchronized passwords a bad idea, considering the
> normally lax stance on security that many corporations have?
>
> 2. Aside from running Jack the Ripper regularly on the passwords and
> ensuring that passwords are strong, what are some methods to ensure
> physical and logical security of accounts (ie: yellow stickies are the
> hidden treasure for a disgruntled employee). Any generalized concepts?

The problem is just NIS.

Your best bet is to deploy a kerberos solution (works with AD) where
the encrypted keys generally aren't available to anyone but system
administrators.  Kerberos key changing is centralised so it is trivial
to set password requirements.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards