No problem. I will still respond again, it is nasty out and don't feel like doing real work (house work that is). :op
First off we used MTEC's PSYNCH, I have had a bug up my butt to write a joeware tool, but the bug is waiting in line with other things. It may be one of my first Dot Net Web projects I play with. > I'm most interested in how you approached and solved the security issues in how to absolutely and uniquely identify a user. 1. Log on with existing Windows ID and password - this is to change up front or sync other systems or set up Q&A profile. 2. Q&A profile - You have a bunch of questions with stored responses, system randomly asks you several of them, if you score 100% you can get in and set your password or change your profile or sync other systems. 3. SecurID authentication - this is a self set pin with a random number generated on a RSA SecurID FOB you carry with you. Once in you can set your password, change your profiles, sync other systems. Also if you have a delegated admin ID you can set the password on that account with this option. Note that our Enterprise and Domain Admin ID's can not be handled by this system for extremely obvious reasons. > If everyone is subject to such a system, can it be used as a DoS tool, if not - how did you mitigate? The system doesn't have to be used, you can still change passwords the old fashioned way so killing the site doesn't stop people completely. This was one of my critical considerations. > 1. Sounds like a perfect conversation topic now that we've beat the shit out of Exchange The more I learn, the bigger the bat I get out in the morning. :op > 2. I'm self-serving and tried to do this only to get shot down by our Sec Director I don't want to be around anyone who isn't self-serving... If they aren't, what are their goals and intentions, too difficult to figure out. > Reasons why it got shot down are valid, but will come out during the discussion, so I won't taint it up front. 1. Money 2. Perceived risk 3. Money 4. Not enough complaints by users that the help desk doesn't respond timely or a management rule that is stood by strongly of no password help after business hours. 5. Money 6. Additional server support overhead 7. ...more Money (and look here's a lovely new twenty dollar bill...) How much more tainted can it get? Give me the reasons, let me see if I can beat them down. > What say you, Mr. Richards? Dad? You here? <user turns about>. > Are you game? Or, just gamey? ;p Both, neither, one or the other, I will accept the judgement of my peers. :o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 25, 2003 10:52 AM To: [EMAIL PROTECTED] Joe, Hmmmmm. Apparently, we were typing about the same time. Question/topic comes about the same time as the response. Ehhhh..... What the heck - maybe next time. ;) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 25, 2003 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! OK - here's a GOOD topic. Joe, can you explain some of the in's and out's of your password reset system (without, obviously - revealing sensitive issues) and how it works (again - same caveat applies). I'm most interested in how you approached and solved the security issues in how to absolutely and uniquely identify a user. Clearly, the implications are huge. If everyone is subject to such a system, can it be used as a DoS tool, if not - how did you mitigate? Natuarally, with a password policy in place the easiest way to DoS anyone is to just attempt to login with a bogus password until it locks the account. Obviously, many of us are getting more script aware, and this sounds like a cool application we all could use. The reason that I ask is two-fold: 1. Sounds like a perfect conversation topic now that we've beat the shit out of Exchange 2. I'm self-serving and tried to do this only to get shot down by our Sec Director Reasons why it got shot down are valid, but will come out during the discussion, so I won't taint it up front. What say you, Mr. Richards? Are you game? Or, just gamey? ;p Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, October 25, 2003 12:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! Right up front, the domain rename scares me. Everyone seems to say, yeah it is there but.... Before I answer anything else though, what kind of data do you have in AD? Is it the basic NOS stuff or have you deployed Exchange or other AD aware apps that have populated it? My guess is you aren't doing a lot with AD yet so most likely following option two doesn't lose much if any information that you can't export off into LDIFs and reimport after you are back to W2K DC's. Pay isn't bad. However, in relative terms you are probably doing better. 100 users per admin versus our ratio of something like 83000 users per admin and I would be lucky to be making 5x-10x what you make let alone 830x.... On the flip side though, you probably haven't put a provisioning system and auto password reset system into place - yet. :op joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, October 23, 2003 10:06 AM To: [EMAIL PROTECTED] I'm serious. Here is a question for you. As always, if you could offer any info, I would be very grateful. We're a small shop with only 2 Admins managing 200 users in 4 states and we don't have the firepower you guys do. Let's say you don't like your AD domain name and you want to change it. You have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed mode. You could move the NT DC to 2K, then move everyone to W2K3, then raise the Forest functionality level and then play Russian Roulette with Rendom. That's one option. Or could it be as simple as DCPromoing all 3 W2K3 servers down to Standalone servers, allowing the NT4 DC which still controls the pre-W2K subdomain name to take full control of the domain again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO and renaming the domain to what you want? I would love to believe I could do it and get away with it. Thank you people. PS: I don't envy you Joe. I hope you're being paid well! RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
