What sort of questions? If you ask people to pick a secret question then you'll get poor quality questions:
Q. QWERTY A. UIOP Or poor quality questions: DOB? (My friends at work know how old I am, and what day my birthday is). Q. What sports team do I support? A. Right like it isn't obvious from the way I was moaning about their play yesterday. Or questions that anyone trying to hack a specific important account couldn't discover. Q. What was my first grade teacher A. Like this isn't documented on Friends Reunited and every silly myspace quiz you ever took. Sorry to sound like I'm beating you up on this quite so much, but I've been down this road already and I'm trying to save you some pain. Couple of further questions: What will you do if someone forgets the special password resetting account's details? Hopefully they won't actually be logging in THAT often. What's to stop a 'random passer by' getting on a terminal and playing with this account? -----Original Message----- From: [EMAIL PROTECTED] on behalf of AWS Sent: Mon 26/06/2006 15:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe <[EMAIL PROTECTED]> wrote: > > Err, maybe you can fill in more detail. I am not quite sure what you are > saying. Are you saying there is a generic ID to log into the website and it > can reset anyone's password or are you saying there is a generic ID with > rights to reset anyone's password or ???? > > Either of those solutions wouldn't be optimal and I would love to work in > that company for a day with that implemented and have people point out who > the dumbass managers were... Or at least their IDs. <eg> > > Oh I just read that again, is this an idea to give a userid/password to > everyone so they can get past the GINA and get to the self service website? > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *AWS > *Sent:* Sunday, June 25, 2006 6:35 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] pw reset domain account > > > There's a proposal at my company for a self service password reset > website which uses a shared domain account. It's similar to a kiosk > configuration, but the intent is to publicize the account and password so > that it can be used from any users' pc when needed. > > They have an account-specific OU/GPO configuration which locks down the > typical stuff you would expect, but my position is that there are too many > unknown vectors for such an account to be abused. > > Since I don't dabble in the various black hat utils du jour, does anyone > have any thoughts on how a globally known domain account could be hacked > upon? Conversely, is there any way such an account could be effectively > locked down? > > Thanks, > AW > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
