Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Changing user password policy

from [Lars Solberg] Network Security [Permanent Link]
Subject: Re: Changing user password policy
Date: Fri, 29 Sep 2006 10:45:28 +0200 
Hi

Thanks for all the good answers!

Its not an emergency, I just wonder if there are any "good" ways of
doing this with good security. The point is that helpdesk receive a
telephone call and then the user can change their password over the
phone.
I try to find a way to do this more secure.. The users are using more
than one computer so I cant verify them by their MAC. Its the password
to log into the system so I cant send them an net send eighter. The
system have caller ID but the users are almost always calling from
other phones. An possibility could be to force a group of users to use
one specific phone.
Anyway, it seams that password hints is the best solution and we are
thinking of using that...

Thanks again!

 Lars

On 9/27/06, Raoul Armfield <armfield@amnh.org> wrote: 
Another option is simply to set the PwdLastSet attribute to 0 this will
force everyone to change their password.  If you also set Password
complexity rules before you do this, it will force everyone to use a
complex password.

Raoul

krymson@gmail.com wrote:
> This is just scary. While I won't ask you to share it if you can't, just keep 
in mind the reason why you may need to do this. If you can phase it, for instance, 
do 1,000 people a day so that you can avoid swamping your help desk with the phone 
calls, that is better than doing all 10,000 out of the blue.
>
> Definitely alert people well in advance that this will be happening.
>
> If this is something you can do over the course of 30 days and have them 
trickle in slowly, just force everyone to make a new password next time them log 
in. After a month or two, audit the accounts for any that simply have not rebooted 
in a month. Then make this a permanent policy.
>
> Since you need to get a new password to users but need to verify them over 
the phone, that kinda implies your help desk will need to contact the user, not 
the other way around (I could call in and ask for John Doe's password, unless you 
call me back...). And since you'll already have them on the phone, you may as well 
distribute the passwords that way. Help desk sets a quick password, user logs in, 
and is forced to change password so help desk no longer knows it.
>
> As a last ditch effort if you have to do this tomorrow, I would suggest 
tonight changing everyone's password to something random, and make them call the 
help desk in the morning. The help desk can verify the user, change the password, 
set it to require a new password on next logon, and get the user back in and 
working...but be prepared for 10K users calling in that morning. Also, be prepared 
for people not having logged off and finding some network services don't work 
because their password is changed and now their account is locked out. :)
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>


--
Raoul Armfield
rarmfield at amnh dot org

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: How to find process behing TCP connection ?, Roman Shirokov
Next by Date:  Re: How to find process behing TCP connection ?, Mario A. Spinthiras
Previous by Thread:  Re: Changing user password policy, Raoul Armfield
Next by Thread:  Best single source of current infosec news?, evb
Indexes:  [Date] [Thread] [Top] [All Lists]