Lars Solberg wrote:
Hi list!
Hi Lars,
I was wondering your toughts in changing users password in an
enterprise firm, with 10k users.
It has to be easy for the user to get a new password, but also secure!
The users also have to be verified over the phone.
Make the users go somewhere and show ID to get a new password will not
work.
Does this have to be an automted system or will the new passwords be
assigned by someone ie you?
What does each user have that you can use to authenticate the user?
I would think that each employee has a telephone extention and an ID
number or social security number. They also work in departments with
other staff members. Each person has a unique NIC MAC address.
For the manual method of password generation and assuming the above and
your requirements makes the job fairly simple.
User A calls from extention 1234.
Password administrator Confirms that the company records show that the
correct person is calling from the correct extention number.
Password administrator then 'net sends' them a message or character
string and asks them to tell him what a certain chracter is.
That combined with the MAC address of the person's PC, the telephone
extention number and the repeating of a character sent to the requestors
PC, would enable you to validate the person and provide them with a new
password telephonically.
What it does not stop is someone else sitting at the PC and changing the
password so it should be company policy that all workstations left
unattended MUST be locked so that a password specific to a user is
required to unlock them.
If the process is to be automatic, I am sure the above process could be
customised or scripted so that the person could visit a web page to
change their password. The machine on the network requesting the
password change could be authenticated, perhaps via MAC address, but the
person operating the machine could still be in doubt. As the person
cannot be verified it is imperative that unattended workstations be locked.
These are my thoughts which I hope provide some insight. Remember that
you need to confirm that the person telephoning or using the machine is
the correct allowed person.
Regards
Hylton
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
