OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Morello (jmorelloMICROSOFT.COM)
Date: Wed Jan 03 2001 - 12:21:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Actually, you can do it via ADSI and IIS. A pretty good article
    explaining how to do this is available at
    http://support.microsoft.com/support/kb/articles/Q184/6/19.ASP. Hope
    it helps,
    John

    - -----Original Message-----
    From: Adrian Beauchamp [mailto:adrianbeauchampCS.COM]
    Sent: Wednesday, January 03, 2001 5:35 AM
    To: FOCUS-MSSECURITYFOCUS.COM
    Subject: setting a password policy for NT remote logon users

    We have a situation as follows:

    All servers involved are (still) NT4SP6a (plus IIS 4 as required).
    Clients
    are mixed Windows breeds, but all able to join an NT domain.

    We have users requiring access to change content on web servers in a
    different domain from the one the log into each morning.
    There is no trust relationship between the domains, and none is
    planned for
    the future.

    Up till now, this has worked as follows. The users get a domain
    account in
    the 2nd domain they need to work in. Its possible to change content
    in 2
    ways:

    a) map a network drive to a machine where they are part of a group
    that has
    the access they need. authenticate using the domain account from the
    second
    domain.

    b) create a connection to an FTP server where authenticated users
    with
    domain accounts have the ability to write to specific directories.
    Use
    scripts or Siteserver to redistribute the data from the FTP server to
    other
    locations.

    There is a major problem with this scheme. As I understand it, there
    is no
    way that these users are able to change thier passwords in the number
    2
    domain. This means its impossible to set a password policy that makes
    any
    kind of sense at all. How can I expire passwords every 30 days when
    that
    would mean I would have manually pick and reset the passwords myself
    and
    then distribute all the new passwords by some secure method to the
    users.

    No - the remote users need to be able to pick and set there own
    passwords,
    and I need to be able to enforce a password policy that wont make us
    too
    vulnerable.

    I have the feeling I am not making some connection that would allow
    me to
    solve this problem using existing tools...

    Having a flawed password scheme means that all other security
    measures are
    just gloss.

    This is an issue I am sure many admins have been confronted with in
    one form
    or another - any ideas?

    regards
    Adrian Beauchamp

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQA/AwUBOlNtqODmQGUUGFFdEQKOiwCg2cv117VNNdeOJaK6sqm3daH9BpwAn0Q7
    kVYnCYaNe7uV20hKBHT017m/
    =xYE0
    -----END PGP SIGNATURE-----