General Security Question

Networking/Security Forums -> General Security Discussion

Author: rdwild PostPosted: Wed Nov 10, 2010 10:58 pm    Post subject: General Security Question
We have an active directory environment with roughly 10000 users. We are looking at an externally hosted access request solution that will require us to install a passfilt.dll filter on our domain controllers that will push user names and sync passwords to the vendor's own directory user database (shared with other customer's users). They will use this to authenticate users. Our security officer has approved this configuration. Am I being too paranoid here, or is this something that should just not be allowed to happen?



Author: Fire AntLocation: London PostPosted: Thu Nov 11, 2010 11:49 am    Post subject:
Hey Barb,

I had to read your post twice to make sure I read this right.

Let me get this straight, your company is going to be syncing your internal users accounts (names and passwords) to a 3rd party, in this case your vendors directory.

Am I being too paranoid here, or is this something that should just not be allowed to happen?
I think you must be the only sane person in your company. You are correct, this should never be allowed to happen!

Do you have to comply to PCI or HIPPA etc?

From a security standpoint you are allowing a vendor (of all people) access to your usernames and passwords. They now have access to your company. As with most companies I assume you don't use least privilege? So some people have god like access to the system.

Your security officer clearly hasn't thought this through. I suggest detailing the risks to your security officer and/or senior management team.

Good luck, I think you need it.

Fire Ant

Author: Dezaxa PostPosted: Fri Nov 12, 2010 3:06 pm    Post subject:
The description of the situation sounds a little strange. The passfilt.dll mechanism is usually employed to enforce password strength rules, not to transfer credentials out to an external system. If you need to allow a third party to authenticate your users, I'm sure there are better ways to do it. I would start by looking at whether you can establish a trust relationship between a subdomain of your AD domain and a subdomain of the third party.

In any case, transferring passwords to a third party is a red flag to anyone with a knowledge of security. At the most you should transfer password hashes.

Author: CoreDefendLocation: USA PostPosted: Mon Nov 15, 2010 3:56 am    Post subject:
Why did your security officer sign off on this?

Passfilt does not synch passwords/hashes with external entities.

How are they asking you to synch this information? A script, scheduled task, direct route, VPN?

Does Senior Management understand the risk this will incur on their company?

To be simple; I would deny this request.

Networking/Security Forums -> General Security Discussion

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group