[SIMS] SIMS.Net Active Directory Integration

[farmerste]

sims not yet broke our AD, folder redirection just stopped working after applying ( yet another ) upgrade
but to be honest we immediately felt the benefit of the upgrade as we all got an icon changed !! wow

[apeo]

sims not yet broke our AD, folder redirection just stopped working after applying ( yet another ) upgrade
but to be honest we immediately felt the benefit of the upgrade as we all got an icon changed !! wow

LOL

[K.C.Leblanc]

Reminds me, a kid once asked me the name of one of my collegue's wife. The kid was sat at a computer at the logon screen with the collegues's user name already typed in.

[cookie_monster]

We make our users change AD passwords every 45 days, SIMS never makes them change it so it's a fair bet they're different here.

[pete]

We make our users change AD passwords every 45 days, SIMS never makes them change it so it's a fair bet they're different here.

have you tested to see if oldpassword1, oldpassword2, oldpassword3 works?

I'd rather they had _one_ good, hard-to-guess or bruteforce password that they were careful not to disclose.

[msi]

The problem is users who use crap passwords, write down their crap passwords, tell their crap passwords to other people and consider their convenience more important than keeping data secure, buffered by management who doesn't see password (and thus data) security as a big part of the teachers job and so doesn't bollock them sufficiently when said lax password security is raised as an issue.

Couldn't agree more.

Single sign-on doesn't help with that, multiple passwords doesn't either because I bet anyone on here £5 that at least 50% of your staff have an identical AD and SIMS password [...]

... disagree. I think it's well-documented that single sign-on does help for the following reasons:

1) It's easier to audit one authentication on one system than eg. 5 authentications on 5 systems running different types of authentication.

2) It's easier to configure your one point of authentication to have the security level you desire. "Force all your access through one door, and make sure you understand the security of that door". I *trust* the Windows implementation of Kerberos, I don't trust the fact that SIMS doesn't encrypt passwords before sending.

3) I restate, but the principle of requiring your users have ONE password instead of several WILL, overall, reduce the risk of passwords being compromised.

4) If a password has been compromised, there's one place to change it. Less confusion for the unsavvy user.

Ok... I hear your points. But there's no use being fatalistic about it: "nobody will ever take security seriously" etc...

[Geoff]

Also, wasn't there a recommendation in the BECTA Security guidelines to implement federated access control (and therefore SSO)?

[localzuk]

Well, we have the following passwords in the school for staff:

1. Their windows domain account, used for windows, helpdesk, room booking
2. Their email username and password, used for any system provided by county, so email, SiX, learning gateway etc...
3. Their website password, used for editing the school website
4. Their SIMS.net password
5. Their voicemail pin

And then, there are a few with access to other systems such as FMS, Nova-T4, and Expo Electro.

I know of at least 5 teachers who have those details written in their diaries. This number increases for our TAs.

A single sign on would increase security no-end.

[zag]

We are moving towards single sign on, this active directory integration helps this alot

[bigal06]

Surely this is a security risk?

What if a member of staff logons onto to a machine and goes walkabouts as they always do without locking it, when a kid wals up and opens SIMS and they can get access to all the info!;-)

I think you have answered your own question - The security risk is about staff leaving their workstations logged in and going walkabouts. I would be seriously worried about anybody leaving their workstation unattended with access to the network and email, let alone SIMS

[bigal06]

Excellent response

Firstly, to DSapseid. I've heard this argument used a number of times now. I've heard people say that having the extra password box 'adds an extra layer of security'.

You are right, a member of staff can walk away from their laptop without locking it. But what difference does having the extra login box make?

Staff are just as likely to leave their laptop unlocked with SIMS running as they are without it running!

They may KNOW not to leave SIMS open, but actually they should KNOW not to leave ANYTHING open!

Alternatively, even if SIMS isn't left open, they may leave their email open - which in a school environment where staff email parents, could be equally damaging in terms of data security!

The key is to teach staff to ALWAYS lock Windows. And get them to sign an agreement saying they will do so.

In fact, using Windows authentication (i.e. the removal of the SIMS username and password) will increase total security as long as staff lock laptops.

The reason for this is that you can prevent people from logging on to SIMS from another person's Windows logon. Everything can then technically be tracked back to someone's Windows logon. SIMS logon is ALWAYS tied to Windows logon.

Furthermore, you can't set password policies for SIMS, but you can for a Windows domain.

Also, passwords aren't sent unencrypted :P

Other security principles are in force with Single Sign-on:

1) The more time your user enters a password, the more likely it is to be overseen by someone else

2) The more passwords your users have, the more likely they are to write them down

etc.

In conclusion, to a layman it would seem more secure to have an extra prompt to enter a password - it would seem like an extra 'level' of protection.

In actual fact, the less thoughtful your users are, the more important it is to use Single Sign-on, flowed authentication, and the reduction of number of passwords (note: the increase in password complexity).

We use Windows Authentication for SIMS, and... it works. I don't trust anyone who says it's a risk... it's a risk not to!

[dhicks]

I understood (from the consultant who came to move our SIMS installation to our new server) that SIMS doesn't check passwords, it simply trusts the username it is passed.

Is this true?

Yes. The SIMS client will check the username it is passed from Windows and, if set up to do so, will automatically log that user in to SIMS. This is the same as NTLM authentication as used by web browsers (although I don't know if this is actually NTLM authentication, I can't be bothered to go and look it up).

This system works well for us using SIMS over Terminal Services - the user logs in to the TS server, the SIMS client automatically starts up and logs them in, as far as the user is concerned they've just logged in to SIMS using their standard AD username and password. You can set the password-protected screensaver to start on the TS server after 3 minutes, so anyone wandering away from their workstation gets it automatically locked pretty quickly and everyone only has one username and password to remember.

--
David Hicks

[cookie_monster]

have you tested to see if oldpassword1, oldpassword2, oldpassword3 works?

I'd rather they had _one_ good, hard-to-guess or bruteforce password that they were careful not to disclose.

Password sharing is a problem here so we make them change their password every 45 days and it has to be 8+ characters and alpha numeric. I'm ok with them writing it down and keeping it in their purse or wallet tbh, at least then they have good passwords that help secure our remote access.

[vote-for-pedro]

Hello,

As anybody been able to integrate Active Directory and SIMS.Net together? We've just moved to SIMS.Net and if possible would like the ability for SIMS.Net not to bring up the prompt but instead log them straight in based on their AD Credentials.

Thanks,

Rob

YES!
in your connect.in use

Connectiontype-TrustedAuto
This will suppress the intial login screen and solong as youve set the users with AD credential in system manager this should work.

[spc-rocket]

Hello,

We're just gone to using AD logons for sims and everything seems to be working well however when users start NOVA T it asks them for username and password? is there any addition settings that need to be set for this to work?

TIA,

Ash.