Re: Re: SecurID with Active Directory ?

["Morning Wood" <se_cur_ity () hotmail com>]

> [If, for instance, you really need to completely eliminate access via
> passwords, you could use some programmatic method (i.e., Visual Basic) to
> set your users' Windows passwords to very long, random passwords that
> never expire. The password change would be captured on the DC and sent to
> the ACE/Server. The long, random passwords would then be
> provided with each authentication (and recovered when offline), but the

 I belive you are meaning a custom VB login.exe at every user station?

> users will never know their Windows password.

unless of course they take to time to look in the custom vb login.exe
application,
where the user/pass is stored in clear text. This would also be a point of
attack
if the exe were ever to escape outside infrastructure controls. ( I bring
this up as
this exact vector was used successfully in a pentest, the exe asked for a
user/pass,
the application then allowed access to the ftp server and its credentials
were stored cleartext
in the exe. The developer belived he could hide the actual ftp process from
the end user so
they did not need to set up user accounts on the ftp server and using the
exe to validate
against an asp server, thus allowing the application to validate and run. )

although not quite the scenario you describe, i believe the implications
would be the same.
of course, I could be completely off base

MW
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/