Computer Security

If you enforce a password change policy within your Active Directory domain, chances are you know plenty about the increased help desk calls from remote OWA / VPN users who have an expired password and were unable to log on to the domain, email etc.

Typically, most companies use OWA's change password function within the web interface for supporting remote user password changes. However if your password is already expired, your account is locked out, or you are a new user issued a temporary password (change on next login), there is no native method available to allow these users to self-service the issue. They must call the help desk for assistance, and remain unproductive until IT can provide help.

To easily remedy the issue and "empower" remote users with the ability to self-service password resets, account unlocks, and update a temporary password to a permanent one, you'll need to deploy a 3rd party "web based self service" software solution that interfaces with Active Directory. This type of system provides standard users with an external portal to log into and handle issues themselves quickly and securely.

Sounds easy right? The problem is, there are many solutions to choose from at varying price levels. Not all self-service systems are created equal. Some are very secure but impossible to deploy (change control nightmare). Other are easy to deploy but not secure at all, compromising perimeter security. Others are easy to deploy and secure, but impossible to build in fault-tolerance to the system or load balancing. And others still, are so completely baffling for the user to operate that it ends up causing more help calls than it was designed to reduce!!

How do you make an informed choice? Try a lot of different products. See which one works great from a "dumb user" perspective, and is "realistic" to deploy within your secure environment.

Some "not good" product features to avoid, which should help with your selection:

• Require schema extensions / changes to AD in order to function
• Requires windows-only computers and installation of client software to function
• Places sensitive "administrative functions" inside the external web self service portal
• Web self service portal has not been PCI scan tested by the vendor
• Requires SQL or MySQL databases to store user data
• Uses odd butchered versions of open-source code for the web self service portal
• Does not provide for easy failover, load balancing and system redundancy
• Does not log web portal events with specific event ID's to the server for monitoring
• Stores sensitive user data and passwords outside of Active Directory
• Stores sensitive user data and passwords in the external web self service portal
• Web self service portal cannot be deployed in a DMZ outside of the secured LAN
• Software is not designed / built by vendor (product bought from some other company)
• No in-house support (support number goes to Philippines or India call center)
• Uses old, cumbersome "question / answer" methods for user enrollment in the web portal (not effective)

When reviewing products, you should ask the above questions- A proper web based self service solution should not have any (or very few) of the above items present. As a yardstick of successful measure, we suggest Password Reset PRO from SysOp Tools.

With a good web based user self service solution deployed for your users that is secure, easy to install and easy for users to navigate, you will reap the benefits of less help calls, more productive users, and better overall enforcement of a secure change password system.

There are opensource tools that help the Sysadmins to forget changing them and letting the users to do it by themselves. Such as ADiPaRT. It's an Open Source Active Directory Password Reset Tool.

Scalable encryption algorithm uses only elementary operations commonly found in microcontrollers - addition, logical AND, OR and XOR, rotation and moves. Thus, implementation of the cipher is straighforward and small, while performance is good.

Similarly to the vast majority of modern blok ciphers, also SEA is a Feistel cipher, but with a simple structure and maybe unusually high number of rounds. As it is only a few months old, there seems to be no independent cryptoanalysis yet, but the authors analysed it for several modes of attack quite exhaustively.

An unusual feature of the cipher is, that it takes into account the native word length of the microcontroller, thus defines e.g. 8-bit, or 32-bit version of the cipher. This increases the ease of its implementation. Although the different word-length versions are mutually incompatible, in the most common scenario this is not a big drawback, as the typical counterpart of the microcontroller is a bigger system (e.g. a PC) with abundant resources, where optimum implementation is not necessary.

Another remarkable feature of the cipher is - as its name indicates - its scalability. It is not an unheard-of feature - for example, one of the requirements for AES was to have variants of the cipher with respect to both block length and key length. But SEA is designed so that it enables virtually any block and key length, provided that both are equal and multiple of 6 word lengths. Of course, in practice a limited set of word length and block/key length will be used, for example the authors compared 96-bit SEA on 8-bit microcontrollers and 192-bit SEA on 32-bit microcontrollers. However, as requirements on key length increase yearly due to advancing technology used (potentially) for brute-force attacks, SEA offers a quick and easy upgrade path.

A minor - but handy - peculiarity of SEA is, that after performing the whole key schedule (i.e. a complete encryption or decryption cycle), the key returns to its initial state. It means that the key does not require any extra memory - it can be stored in the place where it is used.

While attempting to implement the cipher on two popular 8-bit platforms - x51 and AVR, the rather mathematically-oriented notation used by the authors caused confusion in several cases. For example, in the substitution, the "recursivity" means, that in the three consecutive steps the already modified values obtained in the previous steps are used, rather than the original value of the data/key. An another maybe confusing thing is the notation of the rounding (the "half-finished" square bracket) which was due to poor print overlooked; while it is easy to describe the algorithm with no rounding altogether (as the number of rounds is by definition always odd).

The presented implementations are written in assembly language of the respective microcontroller and are optimized for speed, resulting in several times larger code than if the author's guideline was followed. The rationale behind this decision is, that even in this way the code size is well below 1 kbyte and in modern microcontrollers the code memory (usually FLASH) comes very cheap in multi-kilobyte chunks. Also, one-way process is given as the reference implementation (only encryption or only decryption - often only one of them is used in embedded applications), although the both-way version is presented, too, coming at a small penalty in size and some decrease in performance.

Physical Security is the protection we provide for the buildings, property and assets against intruders. When designing a physical security program, the three levels you need to protect are your outer perimeter, your inner perimeter and your interior. The outer perimiter of your property is defined by your actual property lines.

Perimeter security is a set of physical security and programmatic security that provide levels of protection against remote malicious activity.

Perimeter security is enforced in the following areas:

• Physical Access Control. The security devices and policies that are enforced for physical access control prevent the spread of viruses through portable storage devices, help protect data on the phone and the Subscriber Identity Module (SIM) card.
• .cab Signing. .cab file signing provides a more secure method of packaging and delivering applications in Windows Mobile Standard. By signing the .cab files for downloads, Windows Mobile Standard can verify the source and integrity of the file.
• Device Management. The security policies that are enforced for device management help to protect the device from threats that may originate from over-the-air (OTA) downloads or push messages.
• Microsoft® ActiveSync®. The RAPI policy that is enforced for ActiveSync operations helps to protect against application-level threats.