Centralized Authentication: A Double-Edged Sword - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
5/13/2014
12:56 PM
Dan Tesch
Dan Tesch
Commentary
50%
50%

Centralized Authentication: A Double-Edged Sword

Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.

it is used and saved. In the case of a mobile phone, someone will likely remember to change their email password but often forgets that the saved wireless password needs to change, as well.

If users don't connect to the wireless network at the office for a while and their password changes, the next time they do try to connect, the device issues the old password. Active Directory interprets the password as incorrect and locks out the users.

Tablets are commonly shared among designers and people doing user interface testing. If the tablet connects to the network, nobody stops to think about whose credential it's using -- until the person who last entered his username and password changes it. Then a forgotten device ends up locking an unsuspecting user's account.

Saving passwords in browsers, the Mac Keychain, and Windows Credential Manager, while convenient, complicates centralized authentication. Sometimes it takes days to discover where the bad password is stored. One person left his email account configured on his iPad and gave it to his father, who lived overseas. Lockouts occurred only when his father connected the iPad to the Internet; it took us literally months to discover what was going on.

Remote users have also had difficulties. For instance, someone might change a password via our webmail system and then turn around and attempt to authenticate to a VPN endpoint. If the endpoint is at a different data center that hasn't received the updated password via Active Directory replication, the user gets locked out.

I've tried a few things to improve the situation. We modified Active Directory replication settings to make them quicker. We also evaluated a variety of Active Directory reporting tools and put some into use.

For example, Lockout Status from Microsoft is simple, free, and helpful. It's a standalone .exe that requires no installation and allows for a quick view into which Domain Controller is getting bad password attempts. This speeds troubleshooting by reducing the amount of time it takes to determine where lockouts are occurring.

Centralized authentication can cause significant headaches for users and administrators alike. Even the most tech-savvy and self-sufficient people can occasionally be stymied. But user education can go a long way toward minimizing these problems. I don't plan to retreat from the policies and procedures we have in place, because they help protect the organization.

Cyber-criminals wielding advanced persistent threats have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today (free registration required).

Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll