• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

General Security Question

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
rdwild
Just Arrived
Just Arrived


Joined: 10 Nov 2010
Posts: 0


Offline

PostPosted: Wed Nov 10, 2010 10:58 pm    Post subject: General Security Question Reply with quote

We have an active directory environment with roughly 10000 users. We are looking at an externally hosted access request solution that will require us to install a passfilt.dll filter on our domain controllers that will push user names and sync passwords to the vendor's own directory user database (shared with other customer's users). They will use this to authenticate users. Our security officer has approved this configuration. Am I being too paranoid here, or is this something that should just not be allowed to happen?


Thanks,

Barb
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Nov 11, 2010 11:49 am    Post subject: Reply with quote

Hey Barb,

I had to read your post twice to make sure I read this right.

Let me get this straight, your company is going to be syncing your internal users accounts (names and passwords) to a 3rd party, in this case your vendors directory.

Quote:
Am I being too paranoid here, or is this something that should just not be allowed to happen?
I think you must be the only sane person in your company. You are correct, this should never be allowed to happen!

Do you have to comply to PCI or HIPPA etc?

From a security standpoint you are allowing a vendor (of all people) access to your usernames and passwords. They now have access to your company. As with most companies I assume you don't use least privilege? So some people have god like access to the system.

Your security officer clearly hasn't thought this through. I suggest detailing the risks to your security officer and/or senior management team.

Good luck, I think you need it.

Fire Ant
Back to top
View user's profile Send private message
Dezaxa
Forum Fanatic
Forum Fanatic


Joined: 22 Mar 2007
Posts: 16777214


Offline

PostPosted: Fri Nov 12, 2010 3:06 pm    Post subject: Reply with quote

The description of the situation sounds a little strange. The passfilt.dll mechanism is usually employed to enforce password strength rules, not to transfer credentials out to an external system. If you need to allow a third party to authenticate your users, I'm sure there are better ways to do it. I would start by looking at whether you can establish a trust relationship between a subdomain of your AD domain and a subdomain of the third party.

In any case, transferring passwords to a third party is a red flag to anyone with a knowledge of security. At the most you should transfer password hashes.
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Mon Nov 15, 2010 3:56 am    Post subject: Reply with quote

Why did your security officer sign off on this?

Passfilt does not synch passwords/hashes with external entities.

How are they asking you to synch this information? A script, scheduled task, direct route, VPN?

Does Senior Management understand the risk this will incur on their company?

To be simple; I would deny this request.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register