RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Correct. I did not correctly understand the reference. I was speaking of bank employees. However I will hazard a guess as to why banks don't. Please understand that this is a completely unsubtantiated opinion. All for-profit businesses (including banks) exist to make money. Their practices are always based upon cost versus benefit. In this case, I would think that their cost of requiring PIN changes outweighs the benefit of increased individual security. If someone loses their PIN then his/her individual accounts are in danger and not a larger group of customers. Especially if the additional cost includes the loss of customers who think that security is "silly" and would rather bank elsewhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 12:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Hi, In the bank application case, I am not talking about the bank users having to change the password, I was meaning the bank clients having to change their PIN to access the online system... you did not required from your online clients to change their PIN every X days??? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard KlineSent: Tuesday, September 19, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I've worked for several banks and have never, ever not seen required password changes. In fact the reverse problem often occurs. Bank systems do not use the same authentication model (mainframe, domain, application specific) and require password changes on different cycles. Personnel often have the proverbial post-it pad in their desk drawer with written account names and passwords. I'm not a SharePoint expert and so will leave others to comment but I'd be very surprised if a non-domain LDAP can be used (guess that could be construed as a comment, but it's really just reasoned speculation). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
The only clean way to authenticate external users to SharePoint is with a solution like ADFS and federated identity. SharePoint doesn't use LDAP internally for auth and you can't really make it. Federation does give you the ability to have your external users use their own organization's accounts to access your resources (SharePoint in this case). ADFS is non-trivial to set up, but it is "the way" that these things will be done in the future. Joe K. On 9/19/06, Ramon Linan <[EMAIL PROTECTED]> wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
FIPS 112 - Password Usage: http://www.itl.nist.gov/fipspubs/fip112.htm *3.3 Lifetime* The security provided by a password depends on its composition, its length, and its protection from disclosure and substitution. The risk associated with an undetected compromise of a password can be minimized by frequent change. If a password has been compromised in some way and if a new password is created that is totally independent of the old password, then the continued risk associated with the old password is reduced to zero. Passwords thus should be changed on a periodic basis and must be changed whenever their compromise is suspected or confirmed. The useful lifetime of a password depends on several variables, including: * The cost of replacing a password; * The risk associated with compromise; * The risk associated with distribution; * The probability of "guessing" a password; * The number of times the password has been used; * The work of finding a password using exhaustive trial and error methods. Password systems should have the capability of replacing the password quickly, initiated either by the user or the Security Officer. Passwords should be changed voluntarily by the owner whenever compromise is suspected and should be changed periodically with a maximum interval selected by the Security Officer. The interval may be a period of time or depend on a number of uses. The password system itself should have automated features which enforce the change schedule and all the security criteria for the installation. The system should check that the new password is not the same as the previous password. Very sensitive applications may require that a new password not be the same as any of the previous two, three, ..., N passwords. Such a system requires storage for N passwords for each user. It should not be a requirement of a system that the password for each user be unique. Having a new password rejected for this reason confirms that another user has the password. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Password cracking programs are why passwords are changed The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx Ramon Linan wrote: All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to cha
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
16.1.1 Passwords (Ch. 16 of Special Pub. 800-12): http://sbc.nist.gov/cyber-security-tips/800-12/chapter16.html *Changing passwords.* Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into systems more difficult. Too frequent changes, however, can be irritating to users. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Password cracking programs are why passwords are changed The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx Ramon Linan wrote: All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Banks are not very good examples. I have worked with several financial institutions and they are some of the slowest to upgrade, patch, and secure environments. The primary reason for a lot of that is cost to implement and cost to support. I expect that if they forced accounts to expire on web access their help desk support costs would go up 80%+. They don't feel a need to do that with customer accounts because of the following point... Your comparison is flawed. You are talking about government documents that I would assume are important to multiple people in the government and not a single person and any loss would impact some portion of the organization, not a single person. On the other hand, the money in the bank protected by your password is all yours and any loss is all yours. The bank doesn't care that your account was cleared out by your son in law or your estranged wife or by you. If they somehow have your password, they are for all intents and purposes *you* to the bank. You have no legs to stand on if your argument is the bank didn't make you change the password... If that reason for not expiring passwords had legs, no one would be expiring passwords and it probably wouldn't even be a feature. As it is, I have heard many hushed rumours about successful information disclosure attacks that hinged on non-expiring passwords. Everything from operating system source code to intellectual property secrets to project plans to product designs to org charts. At a minimum what you need to do is go to the folks who own the actual data and will experience the pain and embarrassment if the secured data is compromised and get their security requirements and then implement them. If they don't have security requirements I would recommend having your lawyers looking at your service contract with them to find out what they can sue you for and make sure there is nothing in there about data integrity/quality/security/accurate auditing/etc. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Much as I hate to say it, convenience may win here. I know, I know . it's bad form to have non-expiring passwords, etc, etc. Been there, preached that. However, the usability factor is a non-trivial design consideration, and even though we all agree that Sales people are not the most clue-ful when we talk about security, the sales person in this case under discussion does indeed have a valid point. Until we get to the point where everyone buys into PCI compliance in financial transactions, and where PCI itself sets passwords expiration policy for consumers as one of its standard requirements/benchmarks, the Sales person is right. Get the sales person's stance in writing. It's good for CYA. But, don't fight it. You have to know your consumers when you emabark on any design project. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 9/19/2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > I have been involved in externally facing Microsoft sponsored > extranet/Sharepoint sites. > > The password gets changed. > > We have a GUI web portal and we are forced to change the password. > Sales people set your security policy these days? > > Ramon Linan wrote: >> HI, >> >> I have a SharePoint site for a client, it is driving me crazy because >> the sales people are telling me that the users for this site, cant >> have their password expiring. The client is a government agency, so I >> don't want to be responsible for any information being stolen. >> >> How big of a security risk is not having password expiring? it seems >> to me like security 101, but the sales guy is saying that banks don't >> ask you to change your password every X day, good point. >> >> >> Something I was thinking is having SharePoint authenticating with >> their LDAP server, is this possible to do? can anybody point to a url >> on how to do this? >> >> thanks >> >> Rezuma > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Password cracking programs are why passwords are changed The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx Ramon Linan wrote: All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
If you (or whatever sales guy) want to put YOUR OWN account at risk by using an insecure password, and not changing it periodically; go ahead. If you want to put MY money (or the owners of the company's) at risk for the convenience of a clueless sales guy, I'm taking my money & business elsewhere. How much is the convenience of not changing his password worth to him? At the very least, I would document very thoroughly my objections, including having him explicitly sign off on the plan, before implementing something like that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, September 19, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Let's put it this way, sales department make money , IT department spends it :( :( :( That's their point of view anyway...and I still don't have a good answer to why Citibank don't force you to change your password, and they offer web based ...? Thanks for your email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: > HI, > > I have a SharePoint site for a client, it is driving me crazy because > the sales people are telling me that the users for this site, cant > have their password expiring. The client is a government agency, so I > don't want to be responsible for any information being stolen. > > How big of a security risk is not having password expiring? it seems > to me like security 101, but the sales guy is saying that banks don't > ask you to change your password every X day, good point. > > > Something I was thinking is having SharePoint authenticating with > their LDAP server, is this possible to do? can anybody point to a url > on how to do this? > > thanks > > Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > I have been involved in externally facing Microsoft sponsored > extranet/Sharepoint sites. > > The password gets changed. > > We have a GUI web portal and we are forced to change the password. > Sales people set your security policy these days? > > Ramon Linan wrote: >> HI, >> >> I have a SharePoint site for a client, it is driving me crazy because >> the sales people are telling me that the users for this site, cant >> have their password expiring. The client is a government agency, so I >> don't want to be responsible for any information being stolen. >> >> How big of a security risk is not having password expiring? it seems >> to me like security 101, but the sales guy is saying that banks don't >> ask you to change your password every X day, good point. >> >> >> Something I was thinking is having SharePoint authenticating with >> their LDAP server, is this possible to do? can anybody point to a url >> on how to do this? >> >> thanks >> >> Rezuma > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > I have been involved in externally facing Microsoft sponsored > extranet/Sharepoint sites. > > The password gets changed. > > We have a GUI web portal and we are forced to change the password. > Sales people set your security policy these days? > > Ramon Linan wrote: >> HI, >> >> I have a SharePoint site for a client, it is driving me crazy because >> the sales people are telling me that the users for this site, cant >> have their password expiring. The client is a government agency, so I >> don't want to be responsible for any information being stolen. >> >> How big of a security risk is not having password expiring? it seems >> to me like security 101, but the sales guy is saying that banks don't >> ask you to change your password every X day, good point. >> >> >> Something I was thinking is having SharePoint authenticating with >> their LDAP server, is this possible to do? can anybody point to a url >> on how to do this? >> >> thanks >> >> Rezuma > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Too true Susan. Also in Banks, at least in SA, you need the Account number/PIN/Password combination to get access to your account and not just a password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 19 September 2006 18:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > I have been involved in externally facing Microsoft sponsored > extranet/Sharepoint sites. > > The password gets changed. > > We have a GUI web portal and we are forced to change the password. > Sales people set your security policy these days? > > Ramon Linan wrote: >> HI, >> >> I have a SharePoint site for a client, it is driving me crazy because >> the sales people are telling me that the users for this site, cant >> have their password expiring. The client is a government agency, so I >> don't want to be responsible for any information being stolen. >> >> How big of a security risk is not having password expiring? it seems >> to me like security 101, but the sales guy is saying that banks don't >> ask you to change your password every X day, good point. >> >> >> Something I was thinking is having SharePoint authenticating with >> their LDAP server, is this possible to do? can anybody point to a url >> on how to do this? >> >> thanks >> >> Rezuma > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Disclaimer: The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality: The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED] Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Hi, In the bank application case, I am not talking about the bank users having to change the password, I was meaning the bank clients having to change their PIN to access the online system... you did not required from your online clients to change their PIN every X days??? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard KlineSent: Tuesday, September 19, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I've worked for several banks and have never, ever not seen required password changes. In fact the reverse problem often occurs. Bank systems do not use the same authentication model (mainframe, domain, application specific) and require password changes on different cycles. Personnel often have the proverbial post-it pad in their desk drawer with written account names and passwords. I'm not a SharePoint expert and so will leave others to comment but I'd be very surprised if a non-domain LDAP can be used (guess that could be construed as a comment, but it's really just reasoned speculation). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Let's put it this way, sales department make money , IT department spends it :( :( :( That's their point of view anyway...and I still don't have a good answer to why Citibank don't force you to change your password, and they offer web based ...? Thanks for your email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: > HI, > > I have a SharePoint site for a client, it is driving me crazy because > the sales people are telling me that the users for this site, cant > have their password expiring. The client is a government agency, so I > don't want to be responsible for any information being stolen. > > How big of a security risk is not having password expiring? it seems > to me like security 101, but the sales guy is saying that banks don't > ask you to change your password every X day, good point. > > > Something I was thinking is having SharePoint authenticating with > their LDAP server, is this possible to do? can anybody point to a url > on how to do this? > > thanks > > Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use "banks" as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
ooops, forget about the Sharepoint using the clients LDAP, they will never let us access their users database, duh! So, now i need to fight with the project managers and giving them reason why their password should change...my first question is still valid. How big of a security risk is not having password expiring? and if it is important how is that banks dont ask clients to change password. Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
I've worked for several banks and have never, ever not seen required password changes. In fact the reverse problem often occurs. Bank systems do not use the same authentication model (mainframe, domain, application specific) and require password changes on different cycles. Personnel often have the proverbial post-it pad in their desk drawer with written account names and passwords. I'm not a SharePoint expert and so will leave others to comment but I'd be very surprised if a non-domain LDAP can be used (guess that could be construed as a comment, but it's really just reasoned speculation). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
You might consider creating an ADAM instance which is a copy of their LDAP source and authenticate against it. But I fully agree with you that the better way is allow passwords to expire. If you set up the IIS password changing extension on the server you might be able to integrate it in such a way that they can change their passwords against it. I’m assuming that certificate based authentication is out of the question? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: 19 September 2006 17:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma Disclaimer: The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality: The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED]. Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited.
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
