Re: Application passwords
From: jklemenc@fnal.govDate: 07/26/02
- Previous message: Nick: "Re: Application passwords"
- Maybe in reply to: Marcus James: "Application passwords"
- Next in thread: Sarbjit Singh Gill: "RE: Application passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Marcus James <marcus01@post.com> From: jklemenc@fnal.gov Date: Fri, 26 Jul 2002 09:04:03 -0500
If your workstations are all W2K, and are joined to a W2K domain, you can
use native Kerberos authentication from workstation->server for the initial
TCP connection. If they are not in the domain, you could use either
shared-key or PKI. You would set this up by configuring the Windows 2000 IP
Security Filters. You would need the appropriate ACL's defined on the
server(s) which define the source/destination/protocol/port and the
authentication method (optionally, encrypt). On the workstations, if you
are using the native Kerberos, you need to activate the 'Client Respond' IP
Security filters. All of these are easily edited via the Group Policy
editor MMC snap-in (gpedit.msc).
See http://online.securityfocus.com/infocus/1559 and
http://online.securityfocus.com/infocus/1566 for more info on setting this
up.
Joe
Marcus James
<marcus01@post.co To: security-basics@securityfocus.com
m> cc:
Subject: Application passwords
07/24/2002 11:31
AM
Hi,
I'm in need of some creative ideas. We are rolling out an application to a
select number of users in an organisation (50-70 users). Those users would
be able to access sensitive and company confidential information such as
financial data as well as (personal) customer information. Their
functionality will be controlled via the use of roles. The application will
be accessed via a browser.
The problem is that they do not want to implement password controls for the
application, i.e. once the user is logged onto the W2K network they would
not need to log in to use the application. The reason they are doing this
is for ease-of-use and they do not want to bother with password ageing,
account lockout etc. for the application.
They believe that as long as the network logon controls (and processes) are
robust they do not need to implement application password controls. While
the network logon does have and enforce password controls, i.e. password
expiry, password history, length, lockout etc. the processes are a bit
dodgy.
While I understand the need for ease of use, and the impracticality of
maintaining and remembering many passwords I find this potentially a huge
security exposure.
How do I convince them that they need to implement password controls for
this application and not only network logon controls?
Alternatively what would need to be in place to ensure that application
password controls are not needed?
Perhaps someone can share some of their experiences with me.
Thanks...
-- __________________________________________________________Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Get 4 DVDs for $.49 cents! plus shipping & processing. Click to join.
- Previous message: Nick: "Re: Application passwords"
- Maybe in reply to: Marcus James: "Application passwords"
- Next in thread: Sarbjit Singh Gill: "RE: Application passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
