Hi Tony, I would think the only security risk with doing this is that if a laptop is stolen, the entire contents of the directory, rather than just this user's credentials, could be compromised.
In today's regulatory environment, where full disclosure of compromises, including theft of data-laden hardware or media, is often legally mandated, this could be disastrous. Obviously, I could be over-reaching here - I don't know anything about the organization and therefore about relevant legislation, but you should think about that possibility, if for no other reason than to assure yourself that it does not apply. The operational impact of replicating ADAM all over the place is that you're dropping a large-ish piece of software on many workstations, and they don't really need it. There may also be more replication traffic and load on the central server than you might want. A simpler solution, I would think, would be for this app to cache on disk an encrypted copy of the current user's LDAP object whenever the user successfully authenticates to the central ADAM. If the user wants to use the app offline, the app would detect the fact that the hardware it's on happens to be offline at startup (that's easy to do), and authenticate the user against the disk image of the last user object. In case your vendor doesn't know how to tell whether a machine is online -- give them this C++ code snippet to get them started: // get the list of interfaces rcode = WSAIoctl( s, SIO_GET_INTERFACE_LIST, NULL, 0, (LPVOID) iInfo, sizeof(INTERFACE_INFO) * MAX_INTERFACES, &numBytes, NULL, NULL ); This approach is roughly how cached credentials in Windows allow users to sign onto their laptops with domain credentials while disconnected. Bottom line: this method is pretty simple, doesn't require any special software running on the PC, and limits the impact of a theft or compromise of the user's workstation. Good luck, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com **************************************************************************** Please visit M-Tech at the Gartner Symposium ITxpo: At the WDW Dolphin Hotel near Orlando, FL, October 8-13, Booth #1428 http://www.gartner.com/it/sym/2006_/sym16/sym16_home.jsp **************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. **************************************************************************** On Wed, 4 Oct 2006, Tony Murray wrote:
I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx