David, > Can anyone enlighten me about the account option "store passord using > reversible encryption" ? As I understand it, some kinds of clients and > some kinds of remote access solutions that use CHAP require that this > option be enabled. Just the sound of it makes me uncomfortable.
You've got it just right, and you *should* be uncomfortable. > What are the security implications of setting this option on a user > account ? Basically if an intruder manages to get their hands on the encrypted but reversible password data, they will have everyone's passwords. Assuming that you do need to support an authentication protocol that uses plaintext user passwords (and such protocols are frequently quite secure), your best bet is to identify the users who need it, and spin up a service -- not necessarily on AD -- to provide that type of authentication to just those users. You've already got P-Synch, so it will be no trouble to synchronize passwords between AD and whatever service you choose, for those users. >From the end-user's perspective, it will all be the same ID/password. I hope this helps ... please contact me off-line in case you'd like to discuss in greater depth. Cheers, - Idan List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
