|
Posted by Brian Komar \(MVP\) on August 31, 2008, 6:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options
How about something that actually works, like two factor authentication.
Fingerprint scanners are easily defeated, watch Mythbusters
Card key access is getting there, but swipe is one factor.
7+ passwords is really not a strong passwored. Especially when working with
archaic operating systems like Windows 98 that use LM hashes that are easily
broken. A real operating system would recomend using passphrases that are
16+ characters.
Brian
> Okay, so what is the best policy to secure the network? I am thinking a
> combination of biometrics, passwords and potentially keycards. What are
> people's thoughts on this. Perhaps, this list as a suggestion:
>
> 1. fingerprint scanner -- cleaned when done to prevent band-aid technique
> of
> using same fingerprints after person scanned originally
>
> 2. keycard access --- perhaps as a swipe which is a special keycard
> seperate
> from access keycard to secure and safe computer room
>
> 3. complex password to login to computer --- numerous passwords with at
> least 7+ alpha-numeric and special character and grc.com can generate
> random
> complex passwords to give users an idea and Microsoft's password checker
> is
> also good.
>
> 4. Any other thoughts?
>
> "Roger Abell [MVP]" wrote:
>
>> Also, look at what Group Policy Preferences can do for you, allowing you
>> to run computer startup/shutdown script (selectively by GPO targets).
>> Setting password from network is always a hazard as at some point the
>> password is either available on the network or it is obtainable from its
>> storage point, but at least with computer script you can make that
>> storage
>> inaccessible to all except the computer accounts that need access.
>>
>> As far as I have determined, client system local admin account(s) are a
>> darned if you do and darned if you don't situation. The local account is
>> not needed on most systems for daily operations. If something happens
>> such that local admin login is needed it probably needs to have been set
>> up / enabled before that something happens. If there is no local admin
>> account prepared and available, then techs are using domain accounts,
>> which probably means that there are domain accounts in daily use that
>> have large-scale admin access over all, or major sections of, the client
>> systems. If one tries to keep one local admin account ready to go, it
>> should have either a unique password (and not one that can be determined
>> from some formula such that if you know one you can substitute part and
>> get the password for another system) or if not unique then many should
>> be used, each on some small logical subset of the client systems. That
>> however has problems in keeping track of what password to use where
>> and of making passwords available when need (and only then) to those
>> that need to use them (and only to those).
>>
>> There simply appears to be no great solution when using only accounts
>> and passwords.
>>
>> Roger
>>
>> > Gurus,
>> >
>> > How does your organizations manage the local administrator account on
>> > workstations? Typically the end-users do run with "administrative"
>> > privileges, but a local admin account is needed to access a machine
>> > offline. So how is this account typically named (i.e. renamed) and
>> > password secured (i.e., complex and only a few people know it)? Then
>> > you
>> > have the problem of having to change this password on every workstation
>> > if
>> > a member of the IT staff leaves. Just looking for quick thoughts here,
>> > no
>> > long treatise on the topic is necessary!
>> >
>> > --
>> > Spin
>>
>>
>>
| 
XML site map