+ Post New Thread
Results 1 to 13 of 13
MIS Systems Thread, Dual Factor Authentication??? in Technical; I have read several posts on here about this, but does anyone have (a) a definitive answer to the question: ...
  1. #1
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    983
    Thank Post
    272
    Thanked 142 Times in 113 Posts
    Rep Power
    82

    Dual Factor Authentication???

    I have read several posts on here about this, but does anyone have (a) a definitive answer to the question: if accessing SIMS via RDP, does the domain authentication followed by separate SIMS authentication count as an acceptable dual factor authentication?; and (b) a link to legislation outlining the dual factor requirement?

    Many thanks.

  2. #2

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,956
    Thank Post
    775
    Thanked 1,487 Times in 1,234 Posts
    Rep Power
    367
    Dual factor requires something you know and something you have. So two sets of username and password won't really be the same. If written down or snooped both will most likely be lost.

    I don't think there is legislation to require it is there? I'd just want to have it, knowing what we do about users.

    I think google provide code you can utilise to put on websites. Not sure how you'd add it to RDP. RSA fobs used to be the standard way of doing it with windows.

  3. Thanks to vikpaw from:

    Gibson335 (16th August 2013)

  4. #3


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,808
    Thank Post
    262
    Thanked 2,969 Times in 2,183 Posts
    Rep Power
    847
    Duo Security support RDP with their 2FA products.


  5. 2 Thanks to Arthur:

    Gibson335 (16th August 2013), vikpaw (16th August 2013)

  6. #4
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    983
    Thank Post
    272
    Thanked 142 Times in 113 Posts
    Rep Power
    82
    I accept that domain login and SIMS login is not dual factor authentication, but does anyone actually have proper DFA at their school? I understand the desire to be protective of data, but it's an expensive thing to roll out, and hard to convince an SLT of the need if it's not a strict requirement - and I just can't find anything that states it is...despite reading threads here and in other places where people suggest it IS a legal requirement. For that matter, how is SLG dual factor?

  7. #5
    pubgrub277's Avatar
    Join Date
    Jul 2010
    Location
    Newcastle
    Posts
    89
    Thank Post
    5
    Thanked 19 Times in 11 Posts
    Rep Power
    18
    Our LEA has centralised sims and schools access via an RDP secured through microsoft forefront UAG. You have the option to add grid cards or use hard tokens as second factor to the normal domain login. not sure what the pricing of that technology is, or it would be viable to do for a single school.

  8. Thanks to pubgrub277 from:

    Gibson335 (16th August 2013)

  9. #6
    Net-Ctrl's Avatar
    Join Date
    Aug 2011
    Location
    Ipswich
    Posts
    273
    Thank Post
    96
    Thanked 42 Times in 31 Posts
    Blog Entries
    1
    Rep Power
    22
    My understanding with regards to schools having 2FA is that is was 'preferable' to have it but due to the cost implication it wasn't ruled as a legl requirement, although i may be wrong, and as vikpaw said 2FA is classed as something you know and something you have, so i wouldn't think 2 sets of P/W and usernames would be classed as 2FA.

    If 2FA is something you wanted to look at we have supplied both Swivel and SafeNet solutions in the past.

  10. Thanks to Net-Ctrl from:

    Gibson335 (16th August 2013)

  11. #7

    Join Date
    Nov 2011
    Location
    Cambridgeshire
    Posts
    561
    Thank Post
    158
    Thanked 81 Times in 71 Posts
    Rep Power
    25
    Quote Originally Posted by Gibson335 View Post
    I accept that domain login and SIMS login is not dual factor authentication, but does anyone actually have proper DFA at their school? I understand the desire to be protective of data, but it's an expensive thing to roll out, and hard to convince an SLT of the need if it's not a strict requirement - and I just can't find anything that states it is...despite reading threads here and in other places where people suggest it IS a legal requirement. For that matter, how is SLG dual factor?
    We do! Only a small number of users - not universally offered due to cost. I reckon that we've got lots of data which could usefully be accessed remotely which doesn't need 2FA and I'm looking at ways of doing this - biggest issue will be separating data into security categories, rather than technical issues. However, SIMS data doesn't come into that category. As far as I know, it is a strong recommendation rather than a legal requirement, but I wouldn't be happy allowing access without 2FA. The traditional RSA tokens give quite a high up front cost. Using phones looks like a good option and the one @Arthur mentioned looks like one of the best.

  12. #8

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,956
    Thank Post
    775
    Thanked 1,487 Times in 1,234 Posts
    Rep Power
    367
    I have it for my Groupcall SIMS Emerge setup. The phone is the second factor.

    I think you can get an add on to SLG but you'd have to do the work.

    The best (simplest) I can think of is to use the google authenticator app and wedge it's code into a front page.

    I'm now using Google authenticator with my hotmail account - shh!

  13. #9
    Steven_Cleaver's Avatar
    Join Date
    Jul 2008
    Location
    Birmingham
    Posts
    479
    Thank Post
    183
    Thanked 86 Times in 70 Posts
    Rep Power
    52
    Someone from our LEA said it was a requirement or should have Dual Factor Authentication when accessing MIS systems when we were discussing remote access and as well as anything web facing being SSL which makes sense, so we did this as if their was a security issue I didn't want the LEA saying they had told us this and we hadn't factored this in. So we built Dual Factor into our own RDP solution so need App on memory stick, PC, laptop and Username and Password and added extra security, logging, App disabling etc on the front end and locked down RDP as much as possible for instance only enables RDP through the web interface and only for that session closes ports not needed etc, wonder if you could do something like this, we also let students access over RDP through this route but without encrypted App so can't access SIM's or MIS systems. The LEA also get an external company to do Penetration testing on our web facing solutions so we know these are as secure as possible, recently had them pick up an issue on our Moodle Server with older version of PHP so upgraded Moodle and PHP and informed the LEA as we want to keep up a good relationship with them.
    Last edited by Steven_Cleaver; 17th August 2013 at 10:33 AM.

  14. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,529
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925
    The government does not provide specific legislation covering things like passwords and dual factor authentication. They provide some advice/guidance, sure, based on their interpretation of the laws.

    However, the law basically states that data should be secure and safe. If it isn't without DFA then you're not complying with the law. If it is, then you're fine.

    Its all about risk assessment. How risky is it for your web facing systems not to have DFA? Are your passwords in school secure? Ie. do they get changed regularly (by regularly, every 60-90 days maximum)? Do you have account lock-outs in place if the wrong password is entered a certain number of times (maximum 10)? Password complexity requirements?

    If you've got a robust system in place, you may not have a need for DFA but it can't hurt (well, other than your wallet).

  15. Thanks to localzuk from:

    vikpaw (17th August 2013)

  16. #11
    markwilfan's Avatar
    Join Date
    Feb 2009
    Posts
    165
    Thank Post
    35
    Thanked 21 Times in 17 Posts
    Rep Power
    15
    We restrict rdp and ultimately remote sims access to school owned devices by security group, so I suppose technically we have 3fa for sims remotely

  17. #12

    Join Date
    Nov 2011
    Location
    Cambridgeshire
    Posts
    561
    Thank Post
    158
    Thanked 81 Times in 71 Posts
    Rep Power
    25
    Quote Originally Posted by localzuk View Post
    .

    However, the law basically states that data should be secure and safe. If it isn't without DFA then you're not complying with the law. If it is, then you're fine.
    Something I've mentioned before: I bet there's lots of confidential data on unsecured flash drives in most schools and that's arguably a much worse risk than most remote access arrangements, even without 2FA. (FWIW, I'd still implement it for SIMS.)

  18. #13
    Steven_Cleaver's Avatar
    Join Date
    Jul 2008
    Location
    Birmingham
    Posts
    479
    Thank Post
    183
    Thanked 86 Times in 70 Posts
    Rep Power
    52
    Quote Originally Posted by jmak View Post
    Something I've mentioned before: I bet there's lots of confidential data on unsecured flash drives in most schools and that's arguably a much worse risk than most remote access arrangements, even without 2FA. (FWIW, I'd still implement it for SIMS.)
    Completely agree and our Head has emailed staff and told them not to use data sticks to store data but to use our remote access system as if they store data on memory stick and this gets lost they will be liable to disciplinary action and this is now in our ICT policy.



SHARE:
+ Post New Thread

Similar Threads

  1. Remote access and Two Factor Authentication
    By gjames in forum Internet Related/Filtering/Firewall
    Replies: 6
    Last Post: 8th February 2010, 10:16 AM
  2. Two factor authentication
    By k-mart in forum Windows
    Replies: 0
    Last Post: 28th October 2006, 05:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •