Our smart card use isn't really for security. It forces users to be mobile. Not every user has their own dedicated DTU and they share. If we didn't force smart card use then people would login, forget to logout and then the screensaver would kick on and lock the screen and I'd be killing sessions all day so the next person that needed to use the DTU could.
If I'm somewhere in the building where there isn't a Sun Ray or Ethernet and all I had was my MacBook and WiFi and wanted to pull up my Sun Ray desktop then I could. At least that's the use I see for it. Seems like it could completely eliminate our need for SGD too, or is that OGD now? :) -- Aaron On Wed, Jul 6, 2011 at 8:49 AM, Bob Doolittle <bob.doolit...@oracle.com> wrote: > On 07/ 6/11 11:18 AM, James Kissler wrote: >> >> Aaron, I can understand where you are coming from. I have a good >> number of Sunrays deployed. We require the use of smartcard and pin >> for authentication on both PCs and Sunrays (used for terminal >> services). This is a hard requirement for all users, with the >> exception of admin personnel, the only people to use OVDC. It would >> be nice to be able to enforce smartcard authentication for physical >> clients while allowing a more liberal access policy for OVDC >> connections. > > How would you prevent a random person from running OVDC, and thus circumvent > your hard security policies regarding smartcard use? > > There's always a tension between security and convenience, you need to > choose your comfortable balance point and pursue consistent and compatible > policies throughout your enterprise. The most convenient policy is to not > use passwords for users, but that's not very secure... > > -Bob > > P.S. 25 years ago I was a network admin (and developer :-) ) at a company > where the policy was "no root passwords", to make our job simpler when > dealing with unattended workstations which were causing problems (it only > took one misconfigured or broken machine to bring the entire corporate > network down). Ah, the halcyon days of innocent trust :-). Things are > certainly less convenient today. > > _______________________________________________ > SunRay-Users mailing list > SunRay-Users@filibeto.org > http://www.filibeto.org/mailman/listinfo/sunray-users > _______________________________________________ SunRay-Users mailing list SunRay-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sunray-users
