Posted: Wed Nov 10, 2010 10:58 pm Post subject: General Security Question
We have an active directory environment with roughly 10000 users. We are looking at an externally hosted access request solution that will require us to install a passfilt.dll filter on our domain controllers that will push user names and sync passwords to the vendor's own directory user database (shared with other customer's users). They will use this to authenticate users. Our security officer has approved this configuration. Am I being too paranoid here, or is this something that should just not be allowed to happen?
I had to read your post twice to make sure I read this right.
Let me get this straight, your company is going to be syncing your internal users accounts (names and passwords) to a 3rd party, in this case your vendors directory.
Am I being too paranoid here, or is this something that should just not be allowed to happen?
I think you must be the only sane person in your company. You are correct, this should never be allowed to happen!
Do you have to comply to PCI or HIPPA etc?
From a security standpoint you are allowing a vendor (of all people) access to your usernames and passwords. They now have access to your company. As with most companies I assume you don't use least privilege? So some people have god like access to the system.
Your security officer clearly hasn't thought this through. I suggest detailing the risks to your security officer and/or senior management team.
The description of the situation sounds a little strange. The passfilt.dll mechanism is usually employed to enforce password strength rules, not to transfer credentials out to an external system. If you need to allow a third party to authenticate your users, I'm sure there are better ways to do it. I would start by looking at whether you can establish a trust relationship between a subdomain of your AD domain and a subdomain of the third party.
In any case, transferring passwords to a third party is a red flag to anyone with a knowledge of security. At the most you should transfer password hashes.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum