Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1083
  • Last Modified:

for kneH

just for the nice, humorous and helpfull conversation in http:/Q_21404074.html
  • 12
  • 5
1 Solution
Cheers mate :)

This is prolly a alltime first for EE.

Somebody asks a question and gets points for it LOL.

I always enjoy a good discussion though.

I in my turn thank you for that.
Though next time it's my turn to be right ok? ;)
Btw,.... got my appointment with the consultants we hired tomorrow.
Will ask em how they reckon hardware tokens will be usefull for us.

I'll report back here so at least it looks like I did something for my creds ;)
ahoffmannAuthor Commented:
> .. enjoy a good discussion though.
this discussion gave me some news too, henc I find it fair to give credits back
That's like EE works.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LOL well for some reason I suspect pity points as I am not really gaining on you...

ahoffmann  39059
kneH  30985


There wasn't sufficient time to discuss the tokens..
We got stuck with the follwing migration subjects
Novell NDS --> MicroSoft Active Directory
Novell Groupwise --> MS Exchange

Tokens will be in next time (a week)
If you like I can still report back then.

ahoffmannAuthor Commented:
hehe, sounds good: homogenous environment and hence one point of failture: M$
I know...

Just imagine the automatic update procedure being exploited.
bye bye security.....

But then again...
If we would use all SUSE stuff for instance... same problem.

We'll see..

And if all fails I can at least take a few nice servers home with me ;)
This thursday....

Are you excited yet?
ahoffmannAuthor Commented:
thursday what?
Gonna talk to the consultant people which are experts on security.

Got me one reason to go for tokens though.

The fact the pass does change.
Encrypted ones do not.
But then again they do not have to be.

Keyloggers would be useless though when using an event dependant token
ahoffmannAuthor Commented:
hmm, that improves stealing passwords, tokens etc. but it's still 1-factor (see original question http:/Q_21404074.html )
And about security of it see http:/Q_21404074.html#13893293 in particular

Read again to be prepaired for the talk, probably you get a bargain then ;-)
Yup you are absolutely right bout the one factor.
But the tokens would still offer additional value due to above mentioned arguements.

Though if them consultant blokes will try n push those tokens upon me because they are two factor which is safe I'll slap em ;)

If we are gonna go for tokens though I'm sure it'll be the safeword ones.
Easiest to use + more secure.
ahoffmannAuthor Commented:
agreed that it is more secure.
But do you give a new token for any action/request following the initial authentication?
If not, are you used to session hijacking and session riding?
Well we could always be had by session riding or hijacking.
I know that.

But then again this could always be the case when you remotely log in.

After this initial authentication the user would still have to log into his citrix session. At least I'm gonna tell em I want that... just to be on the safe side.

So you would have to ride a session within a session really.
Still not indoable but harder.

I want an edit button!!!
Here's the plan.

We have several devices devidable in two groups:
- device with local storage
- device without local storage

With local storage is gonna get an OTP token with an USB thingie which contains a certificate.
Without storage is gonna have a certificate placed on it + get an OTP token without USB (so they can't stick it in and forget it).

The authentication layers will be:
1. certificate
2. OTP
3. Pin

Also we are gonna devide the devices with passwords in two groups again.
- with internet
- without internet

With internet we might even consider them having to create a VPN session first as an extra layer of security.


Good idear?

(btw the USB thingie already means we are not gonna go for safeword.... they don't have one I think... gonna look that up in a sec)

Look at that puppy!

Now that sounds like a nice one.
Not got to the part where they tell me how on earth they are gonna update that thing regularly.... but the idear is good.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 12
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now