Main Nav

Message from dsarazen@umassp.edu

Hi All,

 

Quick Poll Please:

 

1         Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)?

2         Do you think you should?

 

Thanks!

 

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen@umassp.edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu

 

Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.  If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.

 

AttachmentSize
image001.gif1.84 KB

Comments

Sarazen, Daniel wrote: > Hi All, > > Quick Poll Please: > > > 1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)? yes > > 2 Do you think you should? yes -- Gary Flynn Security Engineer James Madison University
Yes and yes.


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu




On Mon, Feb 27, 2012 at 08:14, Sarazen, Daniel <dsarazen@umassp.edu> wrote:

Hi All,

 

Quick Poll Please:

 

1         Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)?

2         Do you think you should?

 

Thanks!

 

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen@umassp.edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu

 

Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.  If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.

 


1                     Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)?

Yes

2                     Do you think you should?

Yes

 

Message from ingerman@vassar.edu

Yes and yes, from Vassar.

  --Bret


Message from millerj@uakron.edu

1.       Not currently but will be soon.

2.       Absolutely

 

 

Jim Miller

CISSP,CCSP

Lead Network Engineer

The University of Akron

(330) 972-7958

millerj@uakron.edu

 

 

Message from bgstein@ucdavis.edu

1.       Yes

2.       Maybe

 

We are using it, but it isn’t loved (It is expensive and poorly supported.  I’d wonder if the money and staff support time could be better used elsewhere; if I were allowed to wonder.)

 

Ben

UC Davis

 

Yes to both questions.

 

 

Regards

Christopher Jones

IT Security Administrator

Information Technology Services

University of the Fraser Valley

33844 King Road

Abbotsford, B.C.  V2S 7M8

604.854.4566

Christopher.Jones@ufv.ca

 

 

 

 

We do, but only for Unix admins - it turns out that it is provides no extra security for Windows ... you can log into a windows system from the network without the second factor, so unless your worried about the bad guys coming onto campus and sitting in front of your servers to log in, you are using "Security Theater" to protect your windows systems. It (second factor) is effective if you have another choke point (like a database login) that uses the second factor, and it is effective to prevent unauthorized logins to Unix/Linux systems. My 2 cents, Joel --On Monday, February 27, 2012 8:14 AM -0500 "Sarazen, Daniel" wrote: > Hi All, > > Quick Poll Please: > > > 1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in > remotely)? > > 2 Do you think you should? > > Thanks! > > [cid:image001.gif@01CCF527.C41F7F70] > > :: Daniel Sarazen, CISSP, CISA > :: Senior Information Technology Auditor > :: University Internal Audit > :: University of Massachusetts President's Office > > :: 774-455-7558 > :: 781-724-3377 Cell > :: 774-455-7550 Fax > :: Dsarazen@umassp.edu > > University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu > > > Confidentiality Note: This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. > If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited. > Joel Rosenblatt, Director, Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Message from ingerman@vassar.edu

What about using a hardware token for windows servers? We use them for local admin access on our Widows and Mac computers. --Bret Sent from my iPad
The problem is that if the bad guys can get network access to your server, all they need is a valid ID and Password and they can access your server without every having to enter in the pin from the token Once we verified that this was the case, we stopped using our RSA tokens for the windows administrators ... it didn't make any sense to force them to type in the pin when what we were really trying to stop was network breakins. They are effective for protecting Macs Joel --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman wrote: > What about using a hardware token for windows servers? We use them for local admin access on our Widows and Mac computers. > > --Bret > > Sent from my iPad > >
Message from ingerman@vassar.edu

Actually, I meant a token that needs to be in the USB port. We use something called SecureID which is a hardware town that must be in the USB port in order to log in as admin. Of course this means that admins must be a the machine...so it may not be worth the trade off. --Bret Sent from my iPad
We ran into this limitation in our evaluations too. RDP would honor the policy requiring 2-factor but not SMB/RPC oriented sessions like remote scripting which is what we were trying to protect to prevent automated and instant domain wide compromise from a worm or compromised administrator account. So SSH/RDP interactive terminal sessions are protected but not utility sessions. I wonder if 2-factor is equally ineffective with linux services like NFS and rsh (and do I dare compare those with SMB and remote scripting). Joel Rosenblatt wrote: > The problem is that if the bad guys can get network access to your > server, all they need is a valid ID and Password and they can access > your server without every having to enter in the pin from the token > > Once we verified that this was the case, we stopped using our RSA > tokens for the windows administrators ... it didn't make any sense to > force them to type in the pin when what we were really trying to stop > was network breakins. > > They are effective for protecting Macs > > Joel > > --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman > wrote: > >> What about using a hardware token for windows servers? We use them >> for local admin access on our Widows and Mac computers. >> >> --Bret >> >> Sent from my iPad >> >>
Message from dsarazen@umassp.edu

Thanks for the feedback. If you don't use two-factor, what do you do? -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gary Flynn Sent: Tuesday, February 28, 2012 9:35 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Two-Factor Authentication: Quick Poll We ran into this limitation in our evaluations too. RDP would honor the policy requiring 2-factor but not SMB/RPC oriented sessions like remote scripting which is what we were trying to protect to prevent automated and instant domain wide compromise from a worm or compromised administrator account. So SSH/RDP interactive terminal sessions are protected but not utility sessions. I wonder if 2-factor is equally ineffective with linux services like NFS and rsh (and do I dare compare those with SMB and remote scripting). Joel Rosenblatt wrote: > The problem is that if the bad guys can get network access to your > server, all they need is a valid ID and Password and they can access > your server without every having to enter in the pin from the token > > Once we verified that this was the case, we stopped using our RSA > tokens for the windows administrators ... it didn't make any sense to > force them to type in the pin when what we were really trying to stop > was network breakins. > > They are effective for protecting Macs > > Joel > > --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman > wrote: > >> What about using a hardware token for windows servers? We use them >> for local admin access on our Widows and Mac computers. >> >> --Bret >> >> Sent from my iPad >> >>

Can’t say I’m recommending it per se, but if you need more qualifications on RDP, and you think it’s worth the hassle, you can use this:

http://www.2x.com/securerdp/

I’ve not deployed it in the enterprise wide, but I have tested it before.  Yes, I do know that some things can be spoofed, but one still must know what needs to be spoofed to connect.  Just an option.

 

D/C

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU]
Sent: Tuesday, February 28, 2012 9:35 AM
To: Dexter Caldwell; SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Two-Factor Authentication: Quick Poll
Importance: Low

 

We ran into this limitation in our evaluations too. RDP would honor the

policy requiring

2-factor but not SMB/RPC oriented sessions like remote scripting which is

what we were trying to protect to prevent automated and instant domain

wide compromise

from a worm or compromised administrator account.

 

So SSH/RDP interactive terminal sessions are protected but not utility

sessions.

I wonder if 2-factor is equally ineffective with linux services like NFS and

rsh (and do I dare compare those with SMB and remote scripting).





Joel Rosenblatt wrote:

> The problem is that if the bad guys can get network access to your

> server, all they need is a valid ID and Password and they can access

> your server without every having to enter in the pin from the token

> Once we verified that this was the case, we stopped using our RSA

> tokens for the windows administrators ... it didn't make any sense to

> force them to type in the pin when what we were really trying to stop

> was network breakins.

> They are effective for protecting Macs

> Joel

> --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman

> <ingerman@vassar.edu> wrote:

>> What about using a hardware token for windows servers?  We use them

>> for local admin access on our Widows and Mac computers.

>> 

>>   --Bret

>> 

>> Sent from my iPad

>> 

>>

Quick Poll Please:

 

1         Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)? No

2         Do you think you should? Yes

 

Thanks!

 

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen@umassp.edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu

 

Confidentiality Note:  This email is intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information.  If you are not the intended recipient(s), any dissemination, use, distribution or copying is strictly prohibited.

 

Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
Information Security Officer
CISSP, CIPP/C, CISA
Security, Privacy, Audit
BCCOL - 222D
250-852-6351
Sarazen, Daniel wrote: > Thanks for the feedback. If you don't use two-factor, what do you do? To a limited extent: 1) Limit the ability to connect to the Windows network services that do not support strong authentication through a combination of core/host firewalls, IPSEC policies, and "jump host". 2) Harden and protect the workstations and jump host(s) that are allowed to connect to Windows network services that do not support strong authentication. Mitigation is far from perfect and operational realities encourage looseness in implementation but its better than nothing. > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gary Flynn > Sent: Tuesday, February 28, 2012 9:35 AM > To:SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Two-Factor Authentication: Quick Poll > > We ran into this limitation in our evaluations too. RDP would honor the > policy requiring > 2-factor but not SMB/RPC oriented sessions like remote scripting which is > what we were trying to protect to prevent automated and instant domain > wide compromise > from a worm or compromised administrator account. > > So SSH/RDP interactive terminal sessions are protected but not utility > sessions. > I wonder if 2-factor is equally ineffective with linux services like NFS and > rsh (and do I dare compare those with SMB and remote scripting). > > > > > > Joel Rosenblatt wrote: >> The problem is that if the bad guys can get network access to your >> server, all they need is a valid ID and Password and they can access >> your server without every having to enter in the pin from the token >> >> Once we verified that this was the case, we stopped using our RSA >> tokens for the windows administrators ... it didn't make any sense to >> force them to type in the pin when what we were really trying to stop >> was network breakins. >> >> They are effective for protecting Macs >> >> Joel >> >> --On Monday, February 27, 2012 7:30 PM -0500 Bret Ingerman >> wrote: >> >>> What about using a hardware token for windows servers? We use them >>> for local admin access on our Widows and Mac computers. >>> >>> --Bret >>> >>> Sent from my iPad >>> >>>
Was this a token/radius implementation of 2FA or a SmartCard implementation? I'm under the impression that smartcard is the only type tied in enough to windows API to count.
Message from asmir@dons.usfca.edu

I usually do not comment since I do not work for an EDU anymore. However I been involved in a number of 2FA initiatives and might be able to provide some information which might be useful. Passwords are pretty much useless, with most users edu users browsing the web as atleast local admin, it is just a matter of time that your admin credentials will be compromised, if they already are not out there. Most organizations do not have the ability to identify active intrusions and therefore Sent from my iPhone
> 1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)? Followup discussion has made it clear that you need to define "remotely." If you define "remotely" as "from outside the campus or internal firewall boundary," yes, we are mostly there. For internal network access, passwords win, due to limitations mentioned by Joel and others. A GULP-like system is important regardless of the meaning of "remotely." We are also getting better at separating the everyday password (subject to phishing and malware) from privileged logons. > 2 Do you think you should? Yes.
Has anyone implemented SMS-based second factor auth via mobile phones? If so, what software? Costs? We're evaluating various options for adding a second factor to a very geographically distributed and changing user base. Best, Dallas
Message from dsarazen@umassp.edu

Dallas, FYI - While it's not providing two-factor authentication to our systems, we partner with ACSC (Advanced Cyber Security Center) and they use a Verisign product that provides two-factor authentication via smart phones (which of course, requires everyone who needs to authenticate via two-factor has a smart phone). Thanks, Dan
Message from adamschumacher@creighton.edu

We've used the Twilio (http://www.twilio.com/) API to send SMSes for 2 factor when resetting passwords, though not for actual authentication (yet). Since it is just an API, you could program it to do "anything" you want. You can also send/receive voice calls using their service. Rates are pretty low too. I think we started paying .03 per sms sent, and the price actually went down to .01. We also utilize them as an alerting mechanism in our monitoring environment. (we have an offsite monitoring system in case on-campus WAN connectivity is down). sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0 >
Close
Close


EDUCAUSE
Annual Conference

October 27–30
Save the Date

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.