Re: Biometric AD authentication

[Don Ely]

Might look at something like biopassword and then you're just relying on the
biometrics of someones typing on a keyboard...  Works very well in the demos
I've seen...

On Thu, Sep 16, 2010 at 5:31 AM, Ziots, Edward  wrote:

>  I agree that the fingerprint might not be the best biometric method, but
> its usually the most accepted method. Agree that is can be forged, but it
> does take some work.
>
>
>
> We all know passwords aren’t going to “cut it” but is the value of the
> assets you are trying to protect worth the increase controls and
> authentication that biometrics bring?
>
>
>
> Retina/Iris Scans are not well received as a biometric method but are
> highly accurate and almost impossible to force ( unless you  want to rip
> someones eyeball out of their socket and replace yours) ( Brings back Tom
> Cruise in Minority Report when he has his eyeballs replaced to bypass some
> biometric control)
>
>
>
> You also need to research the false acceptance vs false rejection rate for
> the biometric method you want to employ.
>
>
>
> Working in healthcare also, so I see your reasons, but I would look at
> possibily using Thin client, and housing the data on the backend, and
> provide the 2 factor authentication and auditing of the access to the
> EPHI/PII they are viewing  so there is nothing saved on the laptop (which
> should be encrypted to comply with HITECH and MASS CMR 201.17)
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Network Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org 
>
> Cell:401-639-3505
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 4:18 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> I do understand that this is “relatively” easily fooled, but smart cards
> are not an option in this case (no built-in smart card reader).
>
>
>
> ‘Regular’ passwords are not going to cut it.   I’m looking for a
> combination of fingerprint and pin.
>
>
>
> Jim
>
>
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Wednesday, September 15, 2010 1:04 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
> Secunia published a study about that last year, finding that it didn’t
> matter if your reader was $25 or $500 – they were easily “broken”.
>
>
>
> Smartcard plus PIN seems to be winning.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com <http://theessentialexchange.com/>
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 12:53 PM
> *To:* NT System Admin Issues
> *Subject:* Biometric AD authentication
>
>
>
> Greetings,
>
> I’ve been tasked with coming up with some solutions for biometric AD
> authentication.
>
> Quick background:
>
> We are in the healthcare field and will be providing tablet PCs to some of
> our practitioners.  We have been going around about how to provide
> authentication to these folks with minimal security compromises.  The
> tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment) 
> locked
> down pretty tight, but to avoid the ‘sticky note’ password keeper on a
> very portable device that will contain PHI, we are looking at requiring
> login with a fingerprint and pin.
>
> Any suggestions/recommendations from those that have been-there-done-that
> with Biometric AD auth would be greatly appreciated.
>
> Thanks,
>
> Jim
>
> Jim Holmgren
>
> Manager of Server Engineering
>
> XLHealth Corporation
>
> The Warehouse at Camden Yards
>
> 351 West Camden Street, Suite 100
>
> Baltimore, MD 21201
>
> 410.625.2200 (main)
>
> 443.524.8573 (direct)
>
> 443-506.2400 (cell)
>
> www.xlhealth.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> protected health information. Under the Federal Law (HIPAA), the intended
> recipient is obligated to keep this informat

RE: Biometric AD authentication

[Steven M. Caesare]

Or incendiary rounds.

Hence, my love for it.

-sc

> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Wednesday, September 15, 2010 4:21 PM
> To: NT System Admin Issues
> Subject: RE: Biometric AD authentication
> 
> Just about everything involved C4 at some point on that show.
> 
> >>> "Steven M. Caesare"  9/15/2010 12:23 PM >>>
> No, that one involved C4.
> 
> 
> 
> -sc
> 
> 
> 
> From: James Winzenz [mailto:james.winz...@hotmail.com]
> Sent: Wednesday, September 15, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: Re: Biometric AD authentication
> 
> 
> 
> Wasn't that one on Mythbusters?
> 
> 
> 
> From: Steven M. Caesare <mailto:scaes...@caesare.com>
> 
> Sent: Wednesday, September 15, 2010 11:09 AM
> 
> To: NT System Admin Issues
> <mailto:ntsysadmin@lyris.sunbelt-software.com>
> 
> Subject: RE: Biometric AD authentication
> 
> 
> 
> One of the exploits involved a Gummi  Bear, IIRC.
> 
> 
> 
> -sc
> 
> 
> 
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, September 15, 2010 1:04 PM
> To: NT System Admin Issues
> Subject: RE: Biometric AD authentication
> 
> 
> 
> Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure
> Secunia published a study about that last year, finding that it didn't matter 
> if
> your reader was $25 or $500 - they were easily "broken".
> 
> 
> 
> Smartcard plus PIN seems to be winning.
> 
> 
> 
> Regards,
> 
> 
> 
> Michael B. Smith
> 
> Consultant and Exchange MVP
> 
> http://TheEssentialExchange.com
> 
> 
> 
> From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
> Sent: Wednesday, September 15, 2010 12:53 PM
> To: NT System Admin Issues
> Subject: Biometric AD authentication
> 
> 
> 
> Greetings,
> 
> I've been tasked with coming up with some solutions for biometric AD
> authentication.
> 
> Quick background:
> 
> We are in the healthcare field and will be providing tablet PCs to some of our
> practitioners.  We have been going around about how to provide
> authentication to these folks with minimal security compromises.  The tablets
> will be running Windows 7 Pro (Dell Latitude XT2's at the
> moment) locked down pretty tight, but to avoid the 'sticky note'
> password keeper on a very portable device that will contain PHI, we are
> looking at requiring login with a fingerprint and pin.
> 
> Any suggestions/recommendations from those that have been-there-done-
> that with Biometric AD auth would be greatly appreciated.
> 
> Thanks,
> 
> Jim
> 
> Jim Holmgren
> 
> Manager of Server Engineering
> 
> XLHealth Corporation
> 
> The Warehouse at Camden Yards
> 
> 351 West Camden Street, Suite 100
> 
> Baltimore, MD 21201
> 
> 410.625.2200 (main)
> 
> 443.524.8573 (direct)
> 
> 443-506.2400 (cell)
> 
> www.xlhealth.com
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> protected health information. Under the Federal Law (HIPAA), the intended
> recipient is obligated to keep this information secure and confidential. Any
> disclosure to third parties without authorization from the member of as
> permitted by law is prohibited and punishable under Federal Law. If you are
> not the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
> 
> NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es
> para uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
> confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
> establece que el destinatario est? obligado a mantener la informaci?n
> confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
> terceras personas sin autorizaci?n del afiliado o permitido por ley. Si usted 
> no
> es el destinatario, redirija esta mensaje al remitente, y destruye cualquier
> copia existente del mensaje original.
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  

Re: Biometric AD authentication

[James Rankin]

It's already happening, not just in films

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

On 15 September 2010 23:05, Phillip Partipilo  wrote:

>  Biometric authentication has bigger problems than gummy bears… Did you
> see the retina scan in the movie Demolition Man?
>
>
>
>
>
> Phillip Partipilo
>
> Parametric Solutions Inc.
>
> Jupiter, Florida
>
> (561) 747-6107
>
>
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 4:18 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> I do understand that this is “relatively” easily fooled, but smart cards
> are not an option in this case (no built-in smart card reader).
>
>
>
> ‘Regular’ passwords are not going to cut it.   I’m looking for a
> combination of fingerprint and pin.
>
>
>
> Jim
>
>
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Wednesday, September 15, 2010 1:04 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
> Secunia published a study about that last year, finding that it didn’t
> matter if your reader was $25 or $500 – they were easily “broken”.
>
>
>
> Smartcard plus PIN seems to be winning.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 12:53 PM
> *To:* NT System Admin Issues
> *Subject:* Biometric AD authentication
>
>
>
> Greetings,
>
> I’ve been tasked with coming up with some solutions for biometric AD
> authentication.
>
> Quick background:
>
> We are in the healthcare field and will be providing tablet PCs to some of
> our practitioners.  We have been going around about how to provide
> authentication to these folks with minimal security compromises.  The
> tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment) 
> locked
> down pretty tight, but to avoid the ‘sticky note’ password keeper on a
> very portable device that will contain PHI, we are looking at requiring
> login with a fingerprint and pin.
>
> Any suggestions/recommendations from those that have been-there-done-that
> with Biometric AD auth would be greatly appreciated.
>
> Thanks,
>
> Jim
>
> Jim Holmgren
>
> Manager of Server Engineering
>
> XLHealth Corporation
>
> The Warehouse at Camden Yards
>
> 351 West Camden Street, Suite 100
>
> Baltimore, MD 21201
>
> 410.625.2200 (main)
>
> 443.524.8573 (direct)
>
> 443-506.2400 (cell)
>
> www.xlhealth.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> protected health information. Under the Federal Law (HIPAA), the intended
> recipient is obligated to keep this information secure and confidential. Any
> disclosure to third parties without authorization from the member of as
> permitted by law is prohibited and punishable under Federal Law. If you are
> not the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
>
> NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para
> uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
> confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
> establece que el destinatario est? obligado a mantener la informaci?n
> confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
> terceras personas sin autorizaci?n del afiliado o permitido por ley. Si
> usted no es el destinatario, redirija esta mensaje al remitente, y destruye
> cualquier copia existente del mensaje original.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint securit

RE: Biometric AD authentication

[Ziots, Edward]

I agree that the fingerprint might not be the best biometric method, but its 
usually the most accepted method. Agree that is can be forged, but it does take 
some work. 

 

We all know passwords aren't going to "cut it" but is the value of the assets 
you are trying to protect worth the increase controls and authentication that 
biometrics bring?

 

Retina/Iris Scans are not well received as a biometric method but are highly 
accurate and almost impossible to force ( unless you  want to rip someones 
eyeball out of their socket and replace yours) ( Brings back Tom Cruise in 
Minority Report when he has his eyeballs replaced to bypass some biometric 
control) 

 

You also need to research the false acceptance vs false rejection rate for the 
biometric method you want to employ. 

 

Working in healthcare also, so I see your reasons, but I would look at 
possibily using Thin client, and housing the data on the backend, and provide 
the 2 factor authentication and auditing of the access to the EPHI/PII they are 
viewing  so there is nothing saved on the laptop (which should be encrypted to 
comply with HITECH and MASS CMR 201.17)

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 4:18 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

I do understand that this is "relatively" easily fooled, but smart cards are 
not an option in this case (no built-in smart card reader).  

 

'Regular' passwords are not going to cut it.   I'm looking for a combination of 
fingerprint and pin.

 

Jim

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN

RE: Biometric AD authentication

[Ken Schaefer]

Certificates can be stored on USB tokens - there is no need for a smartcard 
reader per se.

That said, the Dell should ship with ControlPoint or whatever they call it now, 
which will provide a CSSP to integrate into the Windows 7 logon screen. Not 
sure if you can combine it with a pin.

RSA provides a cert + PIN solution.

Cheers
Ken

From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Thursday, 16 September 2010 4:18 AM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

I do understand that this is "relatively" easily fooled, but smart cards are 
not an option in this case (no built-in smart card reader).

'Regular' passwords are not going to cut it.   I'm looking for a combination of 
fingerprint and pin.

Jim

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication


Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Biometric AD authentication

[Phillip Partipilo]

Biometric authentication has bigger problems than gummy bears... Did you see 
the retina scan in the movie Demolition Man?


Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107


From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Wednesday, September 15, 2010 4:18 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

I do understand that this is "relatively" easily fooled, but smart cards are 
not an option in this case (no built-in smart card reader).

'Regular' passwords are not going to cut it.   I'm looking for a combination of 
fingerprint and pin.

Jim

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication


Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com<http://www.xlhealth.com>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message.

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization

Re: Biometric AD authentication

[Richard Stovall]

What about a one time password solution like Quest's Defender?

http://www.quest.com/defender/

On Wed, Sep 15, 2010 at 4:18 PM, Jim Holmgren wrote:

>  I do understand that this is “relatively” easily fooled, but smart cards
> are not an option in this case (no built-in smart card reader).
>
>
>
> ‘Regular’ passwords are not going to cut it.   I’m looking for a
> combination of fingerprint and pin.
>
>
>
> Jim
>
>
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Wednesday, September 15, 2010 1:04 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
> Secunia published a study about that last year, finding that it didn’t
> matter if your reader was $25 or $500 – they were easily “broken”.
>
>
>
> Smartcard plus PIN seems to be winning.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 12:53 PM
> *To:* NT System Admin Issues
> *Subject:* Biometric AD authentication
>
>
>
> Greetings,
>
> I’ve been tasked with coming up with some solutions for biometric AD
> authentication.
>
> Quick background:
>
> We are in the healthcare field and will be providing tablet PCs to some of
> our practitioners.  We have been going around about how to provide
> authentication to these folks with minimal security compromises.  The
> tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment) 
> locked
> down pretty tight, but to avoid the ‘sticky note’ password keeper on a
> very portable device that will contain PHI, we are looking at requiring
> login with a fingerprint and pin.
>
> Any suggestions/recommendations from those that have been-there-done-that
> with Biometric AD auth would be greatly appreciated.
>
> Thanks,
>
> Jim
>
> Jim Holmgren
>
> Manager of Server Engineering
>
> XLHealth Corporation
>
> The Warehouse at Camden Yards
>
> 351 West Camden Street, Suite 100
>
> Baltimore, MD 21201
>
> 410.625.2200 (main)
>
> 443.524.8573 (direct)
>
> 443-506.2400 (cell)
>
> www.xlhealth.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> protected health information. Under the Federal Law (HIPAA), the intended
> recipient is obligated to keep this information secure and confidential. Any
> disclosure to third parties without authorization from the member of as
> permitted by law is prohibited and punishable under Federal Law. If you are
> not the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
>
> NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para
> uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
> confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
> establece que el destinatario est? obligado a mantener la informaci?n
> confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
> terceras personas sin autorizaci?n del afiliado o permitido por ley. Si
> usted no es el destinatario, redirija esta mensaje al remitente, y destruye
> cualquier copia existente del mensaje original.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> prote

RE: Biometric AD authentication

[Joseph Heaton]

Just about everything involved C4 at some point on that show.

>>> "Steven M. Caesare"  9/15/2010 12:23 PM >>>
No, that one involved C4.

 

-sc

 

From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

 

Wasn't that one on Mythbusters?

 

From: Steven M. Caesare <mailto:scaes...@caesare.com>  

Sent: Wednesday, September 15, 2010 11:09 AM

To: NT System Admin Issues
<mailto:ntsysadmin@lyris.sunbelt-software.com>  

Subject: RE: Biometric AD authentication

 

One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty
sure Secunia published a study about that last year, finding that it
didn't matter if your reader was $25 or $500 - they were easily
"broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com 

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some
of our practitioners.  We have been going around about how to provide
authentication to these folks with minimal security compromises.  The
tablets will be running Windows 7 Pro (Dell Latitude XT2's at the
moment) locked down pretty tight, but to avoid the 'sticky note'
password keeper on a very portable device that will contain PHI, we are
looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have
been-there-done-that with Biometric AD auth would be greatly
appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the
sole use of the intended recipient(s) and may contain confidential
and/or protected health information. Under the Federal Law (HIPAA), the
intended recipient is obligated to keep this information secure and
confidential. Any disclosure to third parties without authorization from
the member of as permitted by law is prohibited and punishable under
Federal Law. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es
para uso exclusivo del (los) destinatario (s) y puede incluir
informaci?n confidencial y/o informaci?n de salud protegida. La Ley
Federal (HIPAA) establece que el destinatario est? obligado a mantener
la informaci?n confidencial y sequra. HIPAA proh?be y castiga cualquier
divulgaci?n a terceras personas sin autorizaci?n del afiliado o
permitido por ley. Si usted no es el destinatario, redirija esta mensaje
al remitente, y destruye cualquier copia existente del mensaje original.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---

RE: Biometric AD authentication

[Jim Holmgren]

I do understand that this is "relatively" easily fooled, but smart cards are 
not an option in this case (no built-in smart card reader).  

 

'Regular' passwords are not going to cut it.   I'm looking for a combination of 
fingerprint and pin.

 

Jim

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message.

NOTA DE CONFIDENCIALIDAD: Este facsímile, incluyendo lo adjunto, es para el uso 
exclusivo del destinatario(s) y puede contener información confidencial y/o 
información protegida de salud. En virtud de la Ley Federal (HIPAA), el 
destinatario tiene la obligación de mantener esta información segura y 
confidencial. Cualquier divulgación a terceros sin la autorización de los 
miembros de lo permitido por la ley está prohibido y penado en virtud de la Ley 
Federal. Si usted no es el destinatario, por favor, póngase en contacto con el 
remitente por teléfono y destruir todas las copias del mensaje original
~ Finally, powerf

RE: Biometric AD authentication

[Miller, Michael]

haha probably!

From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Wednesday, September 15, 2010 3:49 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

"I thought that the new ones weren't able to be forged with gummy bears..?"

Is that on their Marketing brochures?


 *   Gummy Bear Fraud Resistant
- Sean

On Wed, Sep 15, 2010 at 11:29 AM, Miller, Michael 
mailto:michael.mil...@dys.ohio.gov>> wrote:
I thought that the new ones weren't able to be forged with gummy bears..?

I can't say for sure, I am not able to look it up at the moment.

From: Steven M. Caesare 
[mailto:scaes...@caesare.com<mailto:scaes...@caesare.com>]
Sent: Wednesday, September 15, 2010 3:24 PM

To: NT System Admin Issues
Subject: RE: Biometric AD authentication

No, that one involved C4.

-sc

From: James Winzenz 
[mailto:james.winz...@hotmail.com<mailto:james.winz...@hotmail.com>]
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

Wasn't that one on Mythbusters?

From: Steven M. Caesare<mailto:scaes...@caesare.com>
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues<mailto:ntsysadmin@lyris.sunbelt-software.com>
Subject: RE: Biometric AD authentication

One of the exploits involved a Gummi  Bear, IIRC.

-sc

From: Michael B. Smith 
[mailto:mich...@smithcons.com<mailto:mich...@smithcons.com>]
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com<http://theessentialexchange.com/>

From: Jim Holmgren 
[mailto:jholmg...@xlhealth.com<mailto:jholmg...@xlhealth.com>]
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication


Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com<http://www.xlhealth.com/>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message.

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyri

RE: Biometric AD authentication

[Don Guyer]

Either those or a pair of wax lips...

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox & Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com <mailto:don.gu...@prufoxroach.com> 

 

From: Sean Martin [mailto:seanmarti...@gmail.com] 
Sent: Wednesday, September 15, 2010 3:49 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

 

"I thought that the new ones weren't able to be forged with gummy bears..?"

 

Is that on their Marketing brochures?

 

*   Gummy Bear Fraud Resistant

- Sean

 

On Wed, Sep 15, 2010 at 11:29 AM, Miller, Michael  
wrote:

I thought that the new ones weren't able to be forged with gummy bears..?

 

I can't say for sure, I am not able to look it up at the moment.

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Wednesday, September 15, 2010 3:24 PM 


To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

No, that one involved C4.

 

-sc

 

From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

 

Wasn't that one on Mythbusters?

 

From: Steven M. Caesare <mailto:scaes...@caesare.com>  

Sent: Wednesday, September 15, 2010 11:09 AM

To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>  

Subject: RE: Biometric AD authentication

 

One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com <http://theessentialexchange.com/> 

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com <http://www.xlhealth.com/> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterpri

Re: Biometric AD authentication

[Sean Martin]

"I thought that the new ones weren’t able to be forged with gummy bears..?"

Is that on their Marketing brochures?


   - Gummy Bear Fraud Resistant

- Sean


On Wed, Sep 15, 2010 at 11:29 AM, Miller, Michael <
michael.mil...@dys.ohio.gov> wrote:

>  I thought that the new ones weren’t able to be forged with gummy bears..?
>
>
>
> I can’t say for sure, I am not able to look it up at the moment.
>
>
>
> *From:* Steven M. Caesare [mailto:scaes...@caesare.com]
> *Sent:* Wednesday, September 15, 2010 3:24 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> No, that one involved C4.
>
>
>
> -sc
>
>
>
> *From:* James Winzenz [mailto:james.winz...@hotmail.com]
> *Sent:* Wednesday, September 15, 2010 2:35 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Biometric AD authentication
>
>
>
> Wasn't that one on Mythbusters?
>
>
>
> *From:* Steven M. Caesare 
>
> *Sent:* Wednesday, September 15, 2010 11:09 AM
>
> *To:* NT System Admin Issues 
>
> *Subject:* RE: Biometric AD authentication
>
>
>
> One of the exploits involved a Gummi  Bear, IIRC.
>
>
>
> -sc
>
>
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Wednesday, September 15, 2010 1:04 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Biometric AD authentication
>
>
>
> Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
> Secunia published a study about that last year, finding that it didn’t
> matter if your reader was $25 or $500 – they were easily “broken”.
>
>
>
> Smartcard plus PIN seems to be winning.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com <http://theessentialexchange.com/>
>
>
>
> *From:* Jim Holmgren [mailto:jholmg...@xlhealth.com]
> *Sent:* Wednesday, September 15, 2010 12:53 PM
> *To:* NT System Admin Issues
> *Subject:* Biometric AD authentication
>
>
>
> Greetings,
>
> I’ve been tasked with coming up with some solutions for biometric AD
> authentication.
>
> Quick background:
>
> We are in the healthcare field and will be providing tablet PCs to some of
> our practitioners.  We have been going around about how to provide
> authentication to these folks with minimal security compromises.  The
> tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment) 
> locked
> down pretty tight, but to avoid the ‘sticky note’ password keeper on a
> very portable device that will contain PHI, we are looking at requiring
> login with a fingerprint and pin.
>
> Any suggestions/recommendations from those that have been-there-done-that
> with Biometric AD auth would be greatly appreciated.
>
> Thanks,
>
> Jim
>
> Jim Holmgren
>
> Manager of Server Engineering
>
> XLHealth Corporation
>
> The Warehouse at Camden Yards
>
> 351 West Camden Street, Suite 100
>
> Baltimore, MD 21201
>
> 410.625.2200 (main)
>
> 443.524.8573 (direct)
>
> 443-506.2400 (cell)
>
> www.xlhealth.com
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipient(s) and may contain confidential and/or
> protected health information. Under the Federal Law (HIPAA), the intended
> recipient is obligated to keep this information secure and confidential. Any
> disclosure to third parties without authorization from the member of as
> permitted by law is prohibited and punishable under Federal Law. If you are
> not the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
>
> NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para
> uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
> confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
> establece que el destinatario est? obligado a mantener la informaci?n
> confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
> terceras personas sin autorizaci?n del afiliado o permitido por ley. Si
> usted no es el destinatario, redirija esta mensaje al remitente, y destruye
> cualquier copia existente del mensaje original.
>
> ~ Finally, powerful endpoint security that ISN'T a 

RE: Biometric AD authentication

[Miller, Michael]

I thought that the new ones weren't able to be forged with gummy bears..?

I can't say for sure, I am not able to look it up at the moment.

From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Wednesday, September 15, 2010 3:24 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

No, that one involved C4.

-sc

From: James Winzenz [mailto:james.winz...@hotmail.com]
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

Wasn't that one on Mythbusters?

From: Steven M. Caesare<mailto:scaes...@caesare.com>
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues<mailto:ntsysadmin@lyris.sunbelt-software.com>
Subject: RE: Biometric AD authentication

One of the exploits involved a Gummi  Bear, IIRC.

-sc

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication


Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com<http://www.xlhealth.com>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message.

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-

RE: Biometric AD authentication

[Steven M. Caesare]

No, that one involved C4.

 

-sc

 

From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

 

Wasn't that one on Mythbusters?

 

From: Steven M. Caesare <mailto:scaes...@caesare.com>  

Sent: Wednesday, September 15, 2010 11:09 AM

To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>  

Subject: RE: Biometric AD authentication

 

One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Biometric AD authentication

[John Aldrich]

IIRC, the expensive stuff was easier to fool than the inexpensive stuff...
:-)



From: Mayo, Bill [mailto:bem...@pittcountync.gov] 
Sent: Wednesday, September 15, 2010 2:37 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Yep.  They were able to fool it pretty easily.


From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication
Wasn't that one on Mythbusters?

From: Steven M. Caesare 
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues 
Subject: RE: Biometric AD authentication

One of the exploits involved a Gummi  Bear, IIRC.

-sc

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
Secunia published a study about that last year, finding that it didn’t
matter if your reader was $25 or $500 – they were easily “broken”.

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

Greetings,
I’ve been tasked with coming up with some solutions for biometric AD
authentication.
Quick background:
We are in the healthcare field and will be providing tablet PCs to some of
our practitioners.  We have been going around about how to provide
authentication to these folks with minimal security compromises.  The
tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment)
locked down pretty tight, but to avoid the ‘sticky note’ password keeper on
a very portable device that will contain PHI, we are looking at requiring
login with a fingerprint and pin.
Any suggestions/recommendations from those that have been-there-done-that
with Biometric AD auth would be greatly appreciated.
Thanks,
Jim
Jim Holmgren
Manager of Server Engineering
XLHealth Corporation
The Warehouse at Camden Yards
351 West Camden Street, Suite 100
Baltimore, MD 21201 
410.625.2200 (main)
443.524.8573 (direct)
443-506.2400 (cell)
www.xlhealth.com
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
use of the intended recipient(s) and may contain confidential and/or
protected health information. Under the Federal Law (HIPAA), the intended
recipient is obligated to keep this information secure and confidential. Any
disclosure to third parties without authorization from the member of as
permitted by law is prohibited and punishable under Federal Law. If you are
not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para
uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
establece que el destinatario est? obligado a mantener la informaci?n
confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
terceras personas sin autorizaci?n del afiliado o permitido por ley. Si
usted no es el destinatario, redirija esta mensaje al remitente, y destruye
cualquier copia existente del mensaje original. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://ly

RE: Biometric AD authentication

[John Aldrich]

Umm… I remember that episode, but I don't recall a Gummi Bear as being part
of it. I think they went all high-tech and got a copy of his fingerprint and
made a "sleeve" to fit on Adamn's finger, but that didn't work as well as
like a photocopy of the fingerprint... :-)



From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication

Wasn't that one on Mythbusters?

From: Steven M. Caesare 
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues 
Subject: RE: Biometric AD authentication

One of the exploits involved a Gummi  Bear, IIRC.

-sc

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

Fingerprint as an auth method is passé. It’s easily forged. I’m pretty sure
Secunia published a study about that last year, finding that it didn’t
matter if your reader was $25 or $500 – they were easily “broken”.

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

Greetings,
I’ve been tasked with coming up with some solutions for biometric AD
authentication.
Quick background:
We are in the healthcare field and will be providing tablet PCs to some of
our practitioners.  We have been going around about how to provide
authentication to these folks with minimal security compromises.  The
tablets will be running Windows 7 Pro (Dell Latitude XT2’s at the moment)
locked down pretty tight, but to avoid the ‘sticky note’ password keeper on
a very portable device that will contain PHI, we are looking at requiring
login with a fingerprint and pin.
Any suggestions/recommendations from those that have been-there-done-that
with Biometric AD auth would be greatly appreciated.
Thanks,
Jim
Jim Holmgren
Manager of Server Engineering
XLHealth Corporation
The Warehouse at Camden Yards
351 West Camden Street, Suite 100
Baltimore, MD 21201 
410.625.2200 (main)
443.524.8573 (direct)
443-506.2400 (cell)
www.xlhealth.com
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
use of the intended recipient(s) and may contain confidential and/or
protected health information. Under the Federal Law (HIPAA), the intended
recipient is obligated to keep this information secure and confidential. Any
disclosure to third parties without authorization from the member of as
permitted by law is prohibited and punishable under Federal Law. If you are
not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para
uso exclusivo del (los) destinatario (s) y puede incluir informaci?n
confidencial y/o informaci?n de salud protegida. La Ley Federal (HIPAA)
establece que el destinatario est? obligado a mantener la informaci?n
confidencial y sequra. HIPAA proh?be y castiga cualquier divulgaci?n a
terceras personas sin autorizaci?n del afiliado o permitido por ley. Si
usted no es el destinatario, redirija esta mensaje al remitente, y destruye
cualquier copia existente del mensaje original. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/re

RE: Biometric AD authentication

[Mayo, Bill]

Yep.  They were able to fool it pretty easily.



From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Wednesday, September 15, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: Biometric AD authentication


Wasn't that one on Mythbusters?

From: Steven M. Caesare <mailto:scaes...@caesare.com>  
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>  
Subject: RE: Biometric AD authentication


One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Biometric AD authentication

[James Winzenz]

Biometric AD authenticationWasn't that one on Mythbusters?


From: Steven M. Caesare 
Sent: Wednesday, September 15, 2010 11:09 AM
To: NT System Admin Issues 
Subject: RE: Biometric AD authentication


One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Biometric AD authentication

[Steven M. Caesare]

One of the exploits involved a Gummi  Bear, IIRC.

 

-sc

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, September 15, 2010 1:04 PM
To: NT System Admin Issues
Subject: RE: Biometric AD authentication

 

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

 

Smartcard plus PIN seems to be winning.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Biometric AD authentication

[Osborne, Richard]

We are just starting to migrate from a no-longer-supported biometric app
to Sentillion (recently purchased by Microsoft).  So far it looks good.
We are a health care org and have been using biometrics/single-sign-on
for years.  It adds a layer of complexity but prevents password sharing
and saves users from having to remember multiple passwords.

 

From: Jim Holmgren [mailto:jholmg...@xlhealth.com] 
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication

 

Greetings,

I've been tasked with coming up with some solutions for biometric AD
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some
of our practitioners.  We have been going around about how to provide
authentication to these folks with minimal security compromises.  The
tablets will be running Windows 7 Pro (Dell Latitude XT2's at the
moment) locked down pretty tight, but to avoid the 'sticky note'
password keeper on a very portable device that will contain PHI, we are
looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have
been-there-done-that with Biometric AD auth would be greatly
appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201 

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY NOTICE: This email, including attachments, is for the
sole use of the intended recipient(s) and may contain confidential
and/or protected health information. Under the Federal Law (HIPAA), the
intended recipient is obligated to keep this information secure and
confidential. Any disclosure to third parties without authorization from
the member of as permitted by law is prohibited and punishable under
Federal Law. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. 

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es
para uso exclusivo del (los) destinatario (s) y puede incluir
informaci?n confidencial y/o informaci?n de salud protegida. La Ley
Federal (HIPAA) establece que el destinatario est? obligado a mantener
la informaci?n confidencial y sequra. HIPAA proh?be y castiga cualquier
divulgaci?n a terceras personas sin autorizaci?n del afiliado o
permitido por ley. Si usted no es el destinatario, redirija esta mensaje
al remitente, y destruye cualquier copia existente del mensaje original.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Biometric AD authentication

[Michael B. Smith]

Fingerprint as an auth method is passé. It's easily forged. I'm pretty sure 
Secunia published a study about that last year, finding that it didn't matter 
if your reader was $25 or $500 - they were easily "broken".

Smartcard plus PIN seems to be winning.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Jim Holmgren [mailto:jholmg...@xlhealth.com]
Sent: Wednesday, September 15, 2010 12:53 PM
To: NT System Admin Issues
Subject: Biometric AD authentication


Greetings,

I've been tasked with coming up with some solutions for biometric AD 
authentication.

Quick background:

We are in the healthcare field and will be providing tablet PCs to some of our 
practitioners.  We have been going around about how to provide authentication 
to these folks with minimal security compromises.  The tablets will be running 
Windows 7 Pro (Dell Latitude XT2's at the moment) locked down pretty tight, but 
to avoid the 'sticky note' password keeper on a very portable device that will 
contain PHI, we are looking at requiring login with a fingerprint and pin.

Any suggestions/recommendations from those that have been-there-done-that with 
Biometric AD auth would be greatly appreciated.

Thanks,

Jim

Jim Holmgren

Manager of Server Engineering

XLHealth Corporation

The Warehouse at Camden Yards

351 West Camden Street, Suite 100

Baltimore, MD 21201

410.625.2200 (main)

443.524.8573 (direct)

443-506.2400 (cell)

www.xlhealth.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use 
of the intended recipient(s) and may contain confidential and/or protected 
health information. Under the Federal Law (HIPAA), the intended recipient is 
obligated to keep this information secure and confidential. Any disclosure to 
third parties without authorization from the member of as permitted by law is 
prohibited and punishable under Federal Law. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message.

NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso 
exclusivo del (los) destinatario (s) y puede incluir informaci?n confidencial 
y/o informaci?n de salud protegida. La Ley Federal (HIPAA) establece que el 
destinatario est? obligado a mantener la informaci?n confidencial y sequra. 
HIPAA proh?be y castiga cualquier divulgaci?n a terceras personas sin 
autorizaci?n del afiliado o permitido por ley. Si usted no es el destinatario, 
redirija esta mensaje al remitente, y destruye cualquier copia existente del 
mensaje original.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin