Re: A question about how to validate a user's request to change a pas sword or unlock there account
From: Mark Robinson (markr@hiwaay.net)Date: 08/08/01
- Previous message: Devdas Bhagat: "Re: FTP security on *nix"
- In reply to: VanMeter, John: "A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: VanMeter, John: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 07 Aug 2001 21:09:14 -0500 From: Mark Robinson <markr@hiwaay.net> To: "SECURITY-BASICS (E-mail)" <SECURITY-BASICS@securityfocus.com> Subject: Re: A question about how to validate a user's request to change a pas sword or unlock there account Message-Id: <20010807203642.09F0.MARKR@hiwaay.net>
On Fri, 3 Aug 2001 06:32:02 -0400
"VanMeter, John" <John.VanMeter@ost.dot.gov> wrote:
> I would like to ask what every one things about how to validate a user's
> request to change his password. Currently a user calls the helpdesk, gives
> his username and the helpdesk staff will change the password or unlock an
> account. I'm looking for something way to validate the user identity without
> putting undo pressure on anyone.
>
> At work we've talked about requiring the user to come down/up to the
> helpdesk, show a photo id then the account could be unlocked or the password
> changed.
We require either the Helpdesk go to the user's desk and visually
verify the user by his badge or have the user come down to the
Helpdesk for visual verification. The Helpdesk then notifies the
Network Operations Center to reset or change the user's password.
If the user is a remote user, he must contact his departmental
security officer, who then must provide written verifiication to the
IM security officer that the person is who he states he is, and then
the IM security officer provides written approval to the Network
Operation Center to change the password. If it only requires
unlocking, we may do this once, but if it continues, then we will
require the verification procedure.
>
> We've also talked about using a call back system, the user would call and
> leave there name with the helpdesk staff, then one of the helpdesk tech's
> would look up that persons phone number call them back, then the account
> could be unlocked or the password changed.
If the user is away from their desk, someone from the inside, maybe a
vistor (hopefully not, you do require visitor escorts?), can call as
the user, from his phone, and then you will just call him back on the
same phone.
>
> Or we talked about using a code word, the user would call supply a code
> word, the helpdesk tech would look up the word in a database and if the
> correct word was supplied the account could be unlocked or the password
> changed.
Where would the user keep the code written down, just like he probably
does his password. This is less used than his password and is much
more likely to be forgotten.
Are you going to keep a code word for every user and immeditely change
it after it has been used, someone may have overheard? If so, how
will you provide the user with the new one?
>
> What does every one think?
>
> Thank You, Take Care and have fun
> John van Meter
> Win2K System Administrator
>
>
>
We have had a few complaints, but after explaining the reasoning
behind it, most of them have agreed the method is needed.
Mark Robinson
<markr@hiwaay.net>
- Previous message: Devdas Bhagat: "Re: FTP security on *nix"
- In reply to: VanMeter, John: "A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: VanMeter, John: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
