Need a Password? Just Call the Help Desk

A simple policy change on handling lost passwords solves a complex problem at Jude's company

By Jude Thaddeus

January 1, 2001 12:00 PM ET

Recommended

Computerworld - Passwords are a constant source of problems in my organization. They're irritating, they're obtrusive, they're constantly being forgotten, and they don't even provide a good level of security. Long-term, I'm trying to replace our Windows passwords with smart-card access, but until that happens, we've got to cope with passwords.
Our current problem is at our help desk. When Joe User forgets his password, all he has to do is call the help desk and they'll reset it for him. You have to offer this service - legitimate users are forever forgetting their passwords, and you have to have a way to let them back into the system.

This Week's Glossary
X Window System: A multitasking, windowing graphical user interface program that runs on a Unix host for communicating between X terminal devices and Unix host systems.

X terminal: A terminal connected to the X Window System that presents a window-based user interface to the user and allows the user to access multiple applications at the same time.
For the more technical reader, here are the details of three security risks that our scanner identified on four of our systems, with information about how to remedy them:

• A remote host shouldn't allow trusted access from the scanning machine. This trust may extend to other inappropriate machines as well. Examine the .rhosts file and ensure that it contains a list of only those machines that should be trusted.

• Open X Window displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X server set to "xhost +," permitting access to the X server by anyone, from anywhere. Either issue an "xhost -" command to deny access to everyone and selectively allow only trusted hosts to connect with xhost + commands, use a cryptographically secure authentication protocol such as xauth, or remove X Window.

• The inverse query feature supported on some domain name servers (DNS) shouldn't be used. An attacker can use this feature to obtain a zone transfer. Zone transfers identify every machine registered with your DNS and can be used by attackers to better understand your network. The zone transfer occurs even if you've disabled zone transfers on your server. Configure your DNS to disable inverse queries.

But what's to stop me from calling the help desk pretending to be Joe User and getting someone to reset his password and tell it to me? Not a lot - as long as I can convince them that I'm Joe User, they'll tell me his

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

White Papers & Webcasts

Keeping hold of your customers, especially in tough economic conditions
Download Now!

The Commercialization of ITIL: Lessons Learned
Register for this event today!

Oracle Accelerate - Not Just Smart but Timely
Download Now!

Key Findings: Accelerating ROI with BPM
Click here to watch now!

Why BI is Ripe - Now! - For Businesses of Any Size
Download Now!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

How Midsize Businesses Are Using ERP To Gain Competitive Advantage in a Tough Economy
Download Now!

Strategies for Driving Down IT Support Costs with Lite ITIL Practices
View this now!

Leveling the Field: Powerful Software Solutions for Midsize Companies
Download Now!

Data Protection is not an insurance policy -you cannot buy-back lost data
Find out why you need to maintain access to critical information to run your business and remain competitive.

All White Papers | All Webcasts