I think your being a tad optimistic about the state of security for PDAs and cells:
http://www.pointsec.com/news/newsreleases/release.cfm?PressId=44 http://www.net-security.org/article.php?id=533 --- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century" Download your free copies: http://www.puryear-it.com/publications.htm Thursday, February 15, 2007, 11:47:44 AM, you wrote: > You're assuming someone would be able to hack out an email password from > a stolen device. I doubt many devices actually store the passwords in an > easy-to-access cleartext sort of way. Usually this will require a > brute-force attempt on the device, which would be extremely difficult > given the nature of getting data out of a cell phone, for example. > We host email for users that use mobile devices. These devices use > specialized software to push the email to them. With the software we use > (NotifyLink), the device doesn't even know the true email password of > the user. That information is stored on an intermediate server that sits > between the real mail server and the user's device to push out that > information. I'm pretty sure that the Blackberry Enterprise Server does > something similar. I know that the basic Blackberry services that the > cell phone providers offer do the same as well. > Even if it is possible to somehow crack those passwords, given enough > time, it would also be assumed that the user will notice that he's had a > theft, and have been able to change his password as well. This is where > it's advantageous to use a single sign-on for all his services. That way > he's got a single password to have to change and most likely has an easy > way to either do it himself or get administrative assistance in doing it. > If we're using separate passwords for email and other services, then the > user may not even realize that fact. If he gets an email device stolen, > he may change his password for 'other' services, not knowing that his > email is still getting to the device. The thief then can potentially > read that user's email, or masquerade as him and cause all kinds of damage. > In the case of a VPN client, it's within the policies of many VPN > clients to not save passwords, and require the user to enter passwords > for every login. > Considering the above, my vote is for a single, well protected, easy to > change password for all of a user's activities. This keeps things very > simple and makes it possible to enforce password complexity. It's a lot > easier for a user to remember one complex password than many. In the > event his secret password does get compromised, it's a one-step task to > change it. > I've had a lot of success hosting accounts in Active Directory, and then > using LDAP mechanisms to authenticate against it across several > platforms. AD makes it easy for semi-technical people to manage > accounts, and it's a predictable schema for building LDAP-aware > applications to authenticate against. > -Tim > Dustin Puryear wrote: >> Agreed. How often do people tie their VPN into, for example, AD or >> LDAP? And how many people tie their email credentials to, for example, >> AD or LDAP? So if I get your email credentials from your lost >> cellphone or PDA, then I have your VPN credentials.. >> >> This really has nothing to do with admins. >> >> --- >> Puryear Information Technology, LLC >> Baton Rouge, LA * 225-706-8414 >> http://www.puryear-it.com >> >> Author: >> "Best Practices for Managing Linux and UNIX Servers" >> "Spam Fighting and Email Security in the 21st Century" >> >> Download your free copies: >> http://www.puryear-it.com/publications.htm >> >> >> Wednesday, February 14, 2007, 6:40:32 PM, you wrote: >> >> >>> The admin isn't the only user that has valuable information. I don't >>> think we are talking only about network security, but data security as well. >>> >> >> >>> --mat >>> >> >> >>> Kevin Kreamer wrote: >>> >>>> Dustin Puryear wrote: >>>> >>>> >>>>> What are your thoughts on whether email accounts should be separate >>>>> from normal network accounts? Pros? Cons? Should companies just not >>>>> allow external access to email via POP or IMAP and just require >>>>> Webmail access so users have to manually enter passwords? Does that >>>>> solve the real problem? I'm interested in hearing what everyone has to >>>>> say. >>>>> >>>>> >>>> I'm going to add here the opinion that if your network security relies >>>> on the security of non-admin user passwords, you've already got >>>> problems. Likewise if your admins pick insecure passwords or write them >>>> down in sticky notes. >>>> >>>> Kevin >>>> >>>> >>>> _______________________________________________ >>>> General mailing list >>>> General at brlug.net >>>> http://mail.brlug.net/mailman/listinfo/general_brlug.net >>>> >>>> >>>> >> >> >>> _______________________________________________ >>> General mailing list >>> General at brlug.net >>> http://mail.brlug.net/mailman/listinfo/general_brlug.net >>> >> >> >> _______________________________________________ >> General mailing list >> General at brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net
