Re: [fw-wiz] Stanford break in

• Previous message: Jean Paul López: "[fw-wiz] Blocking MSN (and any other service for that matter)"
• In reply to: Chuck Vose: "[fw-wiz] Stanford break in"
• Next in thread: Carric Dooley: "Re: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Chuck Vose <vosechu@roman-fleuve.com>
Date: Fri, 23 Apr 2004 00:54:43 +1000 (EST)

In some email I received from Chuck Vose, sie wrote:
> The break in at Stanford and other high level super-computing schools
> prompted a question about NIS.
>
> When dealing with any kind of networked password database, such as NIS
> or Active Directory, how does one ensure that accounts aren't stolen. It
> seems like when an account is lost, it's lost on every single computer
> on the network instead of just one machine.
>
> 1. Are network synchronized passwords a bad idea, considering the
> normally lax stance on security that many corporations have?
>
> 2. Aside from running Jack the Ripper regularly on the passwords and
> ensuring that passwords are strong, what are some methods to ensure
> physical and logical security of accounts (ie: yellow stickies are the
> hidden treasure for a disgruntled employee). Any generalized concepts?

The problem is just NIS.

Your best bet is to deploy a kerberos solution (works with AD) where
the encrypted keys generally aren't available to anyone but system
administrators. Kerberos key changing is centralised so it is trivial
to set password requirements.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Jean Paul López: "[fw-wiz] Blocking MSN (and any other service for that matter)"
• In reply to: Chuck Vose: "[fw-wiz] Stanford break in"
• Next in thread: Carric Dooley: "Re: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: penetration test in a Windows 2000/NT network ... Try searching for SQL servers with SA accounts that have no password. ... Depending on the size of the network and the number of "servers" you can ... -->the tool can also be used to check all accounts for passwords that are ... that are enforced to protect WLANs from known vulnerabilities and threats. ... (Pen-Test) Re: 2000/XP Networking Problem ... PASSWORDS are what need to match up between the two computers. ... >> you've checked event logs to see if there are any clues there. ... user accounts I did say "On the W2000 machine Network Identification ... (microsoft.public.win2000.networking) Re: networking xp home will not allow access ... Microsoft calls it a "default value") in Windows that prevents XP Pro ... causes it to not allow network access to network computers that have ... Limit local account use of blank passwords to console login only ... make sure you have passwords on all of your accounts. ... (microsoft.public.windows.mediacenter) Re: Cant See One Network Computer ... I did all the synchronizations and made sure the passwords were all ... blank and that all the accounts were activated, ... everyone else's computers in the network, but whose no one else in the ... on both the client and the server. ... (microsoft.public.windowsxp.network_web) Re: Auto Logon to network ... all accounts are stored on the domain controllers, or you will have to go to ... each server and establish accounts whose names and passwords match the names ... > that somewhere setup network to require Users to logon with passwords. ... (microsoft.public.win2000.networking)