I am looking at going down the route of SIMS AD integration. Something that concerns the staff is the ability just to open sims without putting in a password again. (i know machines should be locked etc, lets not go into that here).
Is it possible using AD auth to prompt for a password when you open sims and disable the ability to just press ok?
I'd be interested if you do find out if/how to do this - it's one of the reasons I haven't done it.
I would avoid t his at all costs.
Once a student or another staff member get their login password, they have the keys to the kingdom. Never a good idea to have the same password for your machine and student information systems. Especially since staff leave their passwords on sticky notes or papers under their keyboards lol.
I would guess it's probably not possible, as the point of AD integration is to stop you having to do this.
I suppose you could achieve the same effect by not using AD integration, but have some sort of service or scheduled task watching for AD password changes and synching these to SIMS, but that'd require reversible encryption and access to a SIMS developer API, and I don't think it'd be easy.
Seems like you're chasing your tail. Which password do you want them to enter? The point of the integration is that they don't need to enter a password, so it's single sign-on.
The solution is to lock the machine when not in use, then it will prompt them to enter their AD password before gaining access again.
Don't dismiss the 'machine should be locked and secure argument' that's just sticking your head in the sand.
Yes, you could write your own custom app, that runs instead of SIMS and prompts for their AD password and checks against the ldap server, and if it's correct then runs the sims program. a) it's a major hassle and waste of time, and b) having the correct shortcut to SIMS would bypass it.
I wrote an app once that just checked if SIMS needed updating, mainly for laptops to prevent it hanging on wireless, but if someone searched out and clicked on the SIMS icon they were screwed.
I don't think it's easy to password protect programs.
As mentioned, don't use integration, set the username to be same as on AD, and tell them to use the same password. if they change their AD password, tell them to click the change password box on SIMS and make it match. How often do you force changes anyway? once a term?
Basically i want it so sims uses the AD password but instead of pressing OK and getting right into sims they have to enter it manually.
Password changes are more regular than once a month.
If the changes to password are that frequent your users are most likely so annoyed with you, it won't matter if you force them to manually update their SIMS passwords!
The only other way I can think of doing this, (but it's a bit of a bodge), As mentioned above create a custom app that checks LDAP password, but create a seperate password for each user for SIMs that they never need to know. (For simpleness, lets just say it's stored in AD decscription).
Once LDAP app checks password, if it's valid it launches sims with the password from AD. That way when they change their password it wouldn't affect SIMs, and you'd still need to manually login.
But seems a lot of hassle just to stop them remembering two passwords, or locking a machine
l too am looking at enforcing password change every 30 days and the length of password to be at least 10 characters (numbers and letters only) but as for the Sims I have consulted with SLT team and we are of the same mind as to not use the AD integration tool for Sims as we feel staff are comfortable setting their own password for this which could be the same as their network password but of course this will be up to them if they want to change it every 30 days.
Keeping the Sims login seperate from the network login is in our case a much better proposal for our school, I am sure that a program developer can write a sims shortcut app which will function via the AD to check if the username and password match and then prompt for a password to be entered before access to Sims, this is probably the way I would work it.
This is harking back to a conversation i have been having many a time with customers and partners (professional!)... this concept that Single Sign On mean 'I sign in once and i have access to everything without needing to log in again...
Which is a) incorrect and b) dangerous. SSO is actually about federating secure logins so that you have the same login across many apps, but for security you still need to login to each. We do that with Aspen & AD (just one of the many integration features). Having pass through authentication into a MIS via Windows logons has never sat well with me. Is convenience really a preference over security?
Then surely it should have been called SAME Sign On. I've always understood single sign on to be just that.
From a security point of view, i do like the SaSo idea, much like you can use login with Facebook or Google to access stuff.
AD logins is waaaay more secure then sql. If the teacher has left the machine unlocked and logged in, it doesn't matter if you have trusted logins for SIMS. It's just as dangerous. The login screen is a false layer of security the n00bs cling too. Most teachers login in to SIMS in the AM and they don't close it until they leave at the end of the day. If you can get into the SIMS directory, you've most likely got the census, workforce census, assessment and all other kinds of data in spreadsheets and xml files that contain sensitive information.
SIMS passwords are case insensitive and carry no real security requirements - if they did, can you image how much hassle this would create for staff having to maintain two secure passwords - lets face it, they'll use the same password.
The only valid argument for trusted logins getting prompted for a login was from an LA who pointed out that you would need it to for them to support them correctly. I would hope that impersonate ability would allow this, but I'm not sure if it would actually work - ie if the schools creds would get the sql connection across the LA network. I suppose you could test this idea with the runas command - ie
runas /user:school\administrator "c:\program files\sims\sims .net\pulsar.exe"
There are currently 1 users browsing this thread. (0 members and 1 guests)