If the only access to the application itself is from within your network, one response you could give your security people is "What's the potential damage if they do gain access"? Seeing other teams' trouble ticket data (if that's all they would have access to) doesn't strike me as particularly dangerous.
Rick On 12/6/07, Rick Cook <[EMAIL PROTECTED]> wrote: > > I think there is some basic functionality in ARS but it really gets beefed > up in ITSM 7, and I think some more in ARS 7.1.0. There's no reason a > smart guy couldn't build himself what Remedy built on those platforms, so > you wouldn't need to install ITSM 7 to get the functionality contained > therein. > > Rick > > On 12/6/07, patrick zandi <[EMAIL PROTECTED]> wrote: > > > > ** Remedy does have this option -- forgot which version it starts with > > --- I believe 7.0 > > you can set the number of bad password attempts.. it then sets a flag in > > the AD server on your account. > > and even if the account is unlocked in AD it is not unlocked in Remedy > > yet. > > To reset it you need to change the flag in AD on their account.. > > > > On Dec 6, 2007 4:51 PM, Durrant, Michael M. - ITSD < > > [EMAIL PROTECTED] > wrote: > > > > > ** Our security team posed this question to me earlier: > > > > > > What prevents someone from brute forcing a Remedy user account > > > password? > > > > > > In response I said, "Uhhhh.... great question!" > > > > > > When using the builtin NTLM authentication (Cross Ref Blank Password > > > in Server Information -> External Authentication) in Remedy, AD prevents > > > it > > > by locking out accounts after 3 unsuccessful login attempts. As far as I > > > can tell, Remedy does nothing in this regard for application accounts. > > > Has > > > anyone else experienced this issue? > > > > > > Thanks! > > > > > > Michael > > > The information contained in this email may be privileged, > > > confidential or otherwise protected from disclosure. All persons are > > > advised that they may face penalties under state and federal law for > > > sharing > > > this information with unauthorized individuals. If you received this > > > email > > > in error, please reply to the sender that you have received this > > > information > > > in error. Also, please delete this email after replying to the sender. > > > __20060125_______________________This posting was submitted with HTML > > > in it___ > > > > > > > > > > -- > > Patrick Zandi __20060125_______________________This posting was > > submitted with HTML in it___ > > > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
