MIS Systems Thread, Dual Factor Authentication??? in Technical; I have read several posts on here about this, but does anyone have (a) a definitive answer to the question: ...
16th August 2013, 11:19 AM #1
Dual Factor Authentication???
I have read several posts on here about this, but does anyone have (a) a definitive answer to the question: if accessing SIMS via RDP, does the domain authentication followed by separate SIMS authentication count as an acceptable dual factor authentication?; and (b) a link to legislation outlining the dual factor requirement?
16th August 2013, 03:10 PM #2
Dual factor requires something you know and something you have. So two sets of username and password won't really be the same. If written down or snooped both will most likely be lost.
I don't think there is legislation to require it is there? I'd just want to have it, knowing what we do about users.
I think google provide code you can utilise to put on websites. Not sure how you'd add it to RDP. RSA fobs used to be the standard way of doing it with windows.
Thanks to vikpaw from:
Gibson335 (16th August 2013)
16th August 2013, 03:21 PM #3
Duo Security support RDP with their 2FA products.
2 Thanks to Arthur:
Gibson335 (16th August 2013), vikpaw (16th August 2013)
16th August 2013, 03:34 PM #4
I accept that domain login and SIMS login is not dual factor authentication, but does anyone actually have proper DFA at their school? I understand the desire to be protective of data, but it's an expensive thing to roll out, and hard to convince an SLT of the need if it's not a strict requirement - and I just can't find anything that states it is...despite reading threads here and in other places where people suggest it IS a legal requirement. For that matter, how is SLG dual factor?
16th August 2013, 03:39 PM #5
Our LEA has centralised sims and schools access via an RDP secured through microsoft forefront UAG. You have the option to add grid cards or use hard tokens as second factor to the normal domain login. not sure what the pricing of that technology is, or it would be viable to do for a single school.
Thanks to pubgrub277 from:
Gibson335 (16th August 2013)
16th August 2013, 03:54 PM #6
My understanding with regards to schools having 2FA is that is was 'preferable' to have it but due to the cost implication it wasn't ruled as a legl requirement, although i may be wrong, and as vikpaw said 2FA is classed as something you know and something you have, so i wouldn't think 2 sets of P/W and usernames would be classed as 2FA.
If 2FA is something you wanted to look at we have supplied both Swivel and SafeNet solutions in the past.
Thanks to Net-Ctrl from:
Gibson335 (16th August 2013)
16th August 2013, 09:35 PM #7
We do! Only a small number of users - not universally offered due to cost. I reckon that we've got lots of data which could usefully be accessed remotely which doesn't need 2FA and I'm looking at ways of doing this - biggest issue will be separating data into security categories, rather than technical issues. However, SIMS data doesn't come into that category. As far as I know, it is a strong recommendation rather than a legal requirement, but I wouldn't be happy allowing access without 2FA. The traditional RSA tokens give quite a high up front cost. Using phones looks like a good option and the one @Arthur mentioned looks like one of the best.
Originally Posted by Gibson335
16th August 2013, 11:07 PM #8
I have it for my Groupcall SIMS Emerge setup. The phone is the second factor.
I think you can get an add on to SLG but you'd have to do the work.
The best (simplest) I can think of is to use the google authenticator app and wedge it's code into a front page.
I'm now using Google authenticator with my hotmail account - shh!
17th August 2013, 10:30 AM #9
Someone from our LEA said it was a requirement or should have Dual Factor Authentication when accessing MIS systems when we were discussing remote access and as well as anything web facing being SSL which makes sense, so we did this as if their was a security issue I didn't want the LEA saying they had told us this and we hadn't factored this in. So we built Dual Factor into our own RDP solution so need App on memory stick, PC, laptop and Username and Password and added extra security, logging, App disabling etc on the front end and locked down RDP as much as possible for instance only enables RDP through the web interface and only for that session closes ports not needed etc, wonder if you could do something like this, we also let students access over RDP through this route but without encrypted App so can't access SIM's or MIS systems. The LEA also get an external company to do Penetration testing on our web facing solutions so we know these are as secure as possible, recently had them pick up an issue on our Moodle Server with older version of PHP so upgraded Moodle and PHP and informed the LEA as we want to keep up a good relationship with them.
Last edited by Steven_Cleaver; 17th August 2013 at 10:33 AM.
17th August 2013, 12:06 PM #10
The government does not provide specific legislation covering things like passwords and dual factor authentication. They provide some advice/guidance, sure, based on their interpretation of the laws.
However, the law basically states that data should be secure and safe. If it isn't without DFA then you're not complying with the law. If it is, then you're fine.
Its all about risk assessment. How risky is it for your web facing systems not to have DFA? Are your passwords in school secure? Ie. do they get changed regularly (by regularly, every 60-90 days maximum)? Do you have account lock-outs in place if the wrong password is entered a certain number of times (maximum 10)? Password complexity requirements?
If you've got a robust system in place, you may not have a need for DFA but it can't hurt (well, other than your wallet).
Thanks to localzuk from:
vikpaw (17th August 2013)
17th August 2013, 01:04 PM #11
We restrict rdp and ultimately remote sims access to school owned devices by security group, so I suppose technically we have 3fa for sims remotely
17th August 2013, 03:23 PM #12
Something I've mentioned before: I bet there's lots of confidential data on unsecured flash drives in most schools and that's arguably a much worse risk than most remote access arrangements, even without 2FA. (FWIW, I'd still implement it for SIMS.)
Originally Posted by localzuk
17th August 2013, 04:39 PM #13
Completely agree and our Head has emailed staff and told them not to use data sticks to store data but to use our remote access system as if they store data on memory stick and this gets lost they will be liable to disciplinary action and this is now in our ICT policy.
Originally Posted by jmak
By gjames in forum Internet Related/Filtering/Firewall
Last Post: 8th February 2010, 10:16 AM
By k-mart in forum Windows
Last Post: 28th October 2006, 05:28 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)