Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Stanford break in

Re: Stanford break in

From: Paul D. Robertson <paul_at_compuwar.net>
Date: Thu, 22 Apr 2004 07:58:55 -0400 (EDT)

On Wed, 21 Apr 2004, Chuck Vose wrote:

> The break in at Stanford and other high level super-computing schools
> prompted a question about NIS.

IMO, NIS should have been drug out and shot years ago...

>
> When dealing with any kind of networked password database, such as NIS
> or Active Directory, how does one ensure that accounts aren't stolen. It
> seems like when an account is lost, it's lost on every single computer
> on the network instead of just one machine.

This is the risk of single-signon. You have to balance that against the
administrative costs of individual accounts, most of which have the same
password.

Now, with single accounts, many systems will not have all accounts- but
setting up a single signon environment where that's true is generally
"harder" than just letting all accounts in.

> 1. Are network synchronized passwords a bad idea, considering the
> normally lax stance on security that many corporations have?

It really depends- overall cost-wise, single signon saves huge money in
support and work- and for most companies, the attacker pool is relatively
small- it's unfortunate that educational institutions still allow global
access to a large set of their systems *and* those systems use reusable
passwords.

> 2. Aside from running Jack the Ripper regularly on the passwords and
> ensuring that passwords are strong, what are some methods to ensure
> physical and logical security of accounts (ie: yellow stickies are the
> hidden treasure for a disgruntled employee). Any generalized concepts?

That doesn't help. A strong password can be compromised, and is generally
written down- making compromise easy. "Strong" passwords are not the
answer.

> 3. In an Active Directory domain, allowing access to all computers is
> obviously a bad idea, but is this what the majority of admins do?

Yes, and Yes.

> Authenticate with the server, but only allow access to one workstation.
> I've never had to do this on a large scale, is it as time consuming as
> it seems that it might be or are there tools that make this easier?

I'm not sure about the degree of administrative difficulty, hopefully
someone with Windows admin experience can answer that.

> I know that this is 3 disparate topics, would list etiquette suggest
> that I should make 3 topics?

Nah, the moderator would have bounced it if he'd thought it wasn't ok ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul_at_compuwar.net which may have no basis whatsoever in fact."
probertson_at_trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 22 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos