RE: Stupid users and weak policies

• From: "josephk" <josephk@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 14 Jul 2004 08:58:52 -0700

Also, just as important, ctrl+alt+del and then lock work station when
not
Using it. Or, setup policy to automatically lock workstation after
10 - 15 minutes of inactivity. So, someone doesn't use your terminal
To send the boss a message.
Joseph
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, July 14, 2004 8:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Stupid users and weak policies


http://www.ISAserver.org

Hey guys,

This is why two factor authentication is so important -- so that users
can't say "he told me" or "he looked at my monitor".

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 MVP -- ISA Firewalls



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Wednesday, July 14, 2004 10:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Stupid users and weak policies


http://www.ISAserver.org

While ISA scripting is extremely powerful, it's not the answer here.
Overgeneralizing the question doesn't help, either. There is a distinct
difference between a common password for "group resources" and users
sharing their passwords so that they can 
circumvent existing policies.
There is NO WAY for ISA to know that multiple "sessions" from multiple
computers represents a security violation. This is defined by the IS
Aadmin and whatever policies they do or don't have / enforce.

Since "sessions" are seen in two places, the problem is (at least)
two-fold:
- Firewall sessions - this requires a change to ISA core functionality ,
since there is no common "thread" between application 
filters
- Web Proxy sessions - direct web proxy sessions (CERN proxy requests to
the Outgoing Web Requests listener) can compare credentials 
with client-IP, buit this goes to hell when the session comes from the
HTTP Redirector.  Those always come from 127.0.0.1.

Before you try to decide what's "easily coded" for ISA, you have to
define the problem, product capabilities and the focus of the 
"answer".  Clearly, what fits in your warehouse is unlikely to work in
Anwar's site.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, July 14, 2004 08:25
Subject: [isalist] RE: Stupid users and weak policies


http://www.ISAserver.org

The best administrators in the world and the best managers still need
tools to help them do their jobs and to enforce policies.

My policy is to deny access to bad sites as best I can instead of
allowing it and then terminating someone for breaking the rules of going
somewhere they shouldn't have but were given the ability to.

Warehouses don't have speed limits for fork lifts and enforce them by
using radar guns, they put speed limiters on the fork lifts that prevent
speeding in the first place.

Windows domain controllers have policies that can prevent users from
logging on to more than one computer at a time by choosing which
machines users can log on to. Building on that, there should be a way to
set ISA to ONLY use machine logged in credentials, instead of trying
them first as it does, and then popping up an authentication screen when
the machine's user account failed to get access to the site.

The bad thing about this possible solution is companies that use thin
clients and terminal services have many users logging in to the same
machine (server) at the same time, so a terminal services client aware
solution would need to be developed.

It can be hard to fire someone for sharing an account/password when they
can claim someone saw them log on, or someone could have used an
external key logger device without their knowledge. And if there is more
than one person working at a time, then it would be hard to prove which
person was the one using the shared/stolen password.

I guess you could make passwords expire every day, but that would be a
nightmare too.

If you put up a "bridge out" sign on the road, but the bridge is still
there, drivers will soon find out and ignore the sign. If you tear down
the bridge, they will turn around and go the other way.

My main point is this:
Windows domains and ISA both know what machine the request is coming
from. They both also know what user credentials are being used. Why
can't something be written to take advantage of what is already known
and control access to resources the way an administrator wishes?

To make Jim happy, maybe it could also automatically email the logged in
user a notice to change their password and or an employment termination
warning too. I'm not versed in scripting like Jim, but the best
programming I ever did in the Air Force using Basic of all things is
when other computer guys told me it couldn't be done. I bet it can be
accomplished in a script or at least a patch, fix, feature enhancement,
etc.

Jeff


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, July 14, 2004 8:50 AM
To: ISALists
Subject: [isalist] Stupid users and weak policies


http://www.ISAserver.org

This isn't a problem for ISA; it's one for your company (school, hacker
club, etc.) Your management needs to define and enforce a compay
security policy that creates new job openings when it's known that users
are sharing passwords.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 14 Jul 2004 11:59:29 +0500
 <a_sidiqi@xxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi Jim
I am Anwar, I posted my query but didn't get any reply. What I need to
know is that is this possible that we can limit the session through ISA
to one session only per user. Means that if a person has been
authenticated by ISA server from one PC the same can not be
authenticated from some other Pc at the same time. Actually we have
given internet access to limited # of staff. But some of the staff have
given away their passwords to those who do not have access to internet,
and they connect using the authorized users password. My manager needs
to restrict the staff to single session only. Please help me out


Anwar Ahmed Siddiqui
Assistant Systems Officer
Information Technology Department
Pakistan Petroleum Limited
Tel: 111568568, Ext: 569




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist

Other related posts:

• » Stupid users and weak policies
• » RE: Stupid users and weak policies
• » RE: Stupid users and weak policies
• » RE: Stupid users and weak policies
• » RE: Stupid users and weak policies
• » RE: Stupid users and weak policies

1. Home
2. isalist
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---