RE: Stupid users and weak policies
- From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
- To: "ISALists" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 Jul 2004 10:25:41 -0500
The best administrators in the world and the best managers still need
tools to help them do their jobs and to enforce policies.
My policy is to deny access to bad sites as best I can instead of
allowing it and then terminating someone for breaking the rules of going
somewhere they shouldn't have but were given the ability to.
Warehouses don't have speed limits for fork lifts and enforce them by
using radar guns, they put speed limiters on the fork lifts that prevent
speeding in the first place.
Windows domain controllers have policies that can prevent users from
logging on to more than one computer at a time by choosing which
machines users can log on to.
Building on that, there should be a way to set ISA to ONLY use machine
logged in credentials, instead of trying them first as it does, and then
popping up an authentication screen when the machine's user account
failed to get access to the site.
The bad thing about this possible solution is companies that use thin
clients and terminal services have many users logging in to the same
machine (server) at the same time, so a terminal services client aware
solution would need to be developed.
It can be hard to fire someone for sharing an account/password when they
can claim someone saw them log on, or someone could have used an
external key logger device without their knowledge. And if there is more
than one person working at a time, then it would be hard to prove which
person was the one using the shared/stolen password.
I guess you could make passwords expire every day, but that would be a
nightmare too.
If you put up a "bridge out" sign on the road, but the bridge is still
there, drivers will soon find out and ignore the sign.
If you tear down the bridge, they will turn around and go the other way.
My main point is this:
Windows domains and ISA both know what machine the request is coming
from.
They both also know what user credentials are being used.
Why can't something be written to take advantage of what is already
known and control access to resources the way an administrator wishes?
To make Jim happy, maybe it could also automatically email the logged in
user a notice to change their password and or an employment termination
warning too.
I'm not versed in scripting like Jim, but the best programming I ever
did in the Air Force using Basic of all things is when other computer
guys told me it couldn't be done. I bet it can be accomplished in a
script or at least a patch, fix, feature enhancement, etc.
Jeff
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, July 14, 2004 8:50 AM
To: ISALists
Subject: [isalist] Stupid users and weak policies
http://www.ISAserver.org
This isn't a problem for ISA; it's one for your company (school, hacker
club, etc.) Your management needs to define and enforce a compay
security policy that creates new job openings when it's known that users
are sharing passwords.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Wed, 14 Jul 2004 11:59:29 +0500
<a_sidiqi@xxxxxxxxxx> wrote:
http://www.ISAserver.org
Hi Jim
I am Anwar, I posted my query but didn't get any reply. What I need to
know is that is this possible that we can limit the session through ISA
to one session only per user. Means that if a person has been
authenticated by ISA server from one PC the same can not be
authenticated from some other Pc at the same time. Actually we have
given internet access to limited # of staff. But some of the staff have
given away their passwords to those who do not have access to internet,
and they connect using the authorized users password.
My manager needs to restrict the staff to single session only. Please
help me out
Anwar Ahmed Siddiqui
Assistant Systems Officer
Information Technology Department
Pakistan Petroleum Limited
Tel: 111568568, Ext: 569
Other related posts:
