I need Multiple Passwords to log in - think WAR GAMES - possible?

[Guest]

In the 'war games' movie, in the beginning it was required for 2 guys to turn
2 keys to activate the missiles right? I have a customer that wants the login
screen of Windows Servers to show 2 password fields so that 2 administrators
have to each type in a unique password to log in. I know it is possible to
make each type half of a single password, but is there a product out there
that offers this type of dual password authentication? Please email thepiper
@ one.net (remove spaces for anti spam) in your reply if youd be so kind.
Thanks in advance!

 

[Rick B]

This is a Microsoft ACCESS newsgroup. We help with questions about Access
datbases. Sounds like you are asking a Windows Server question, not Access.

Wrong newsgroup.

FYI, most people will not email you a response. The whole point of a public
newsgroup is to store the questions and responses in a public forumn so
people with similar questions in the future can look back and find an
answer.

 

[Guest]

Sorry- I was thinking 'Access Security' as in 'access to the server'
security, not the product. my bad. i was just hoping to get notifiied in
email when a response hit which i realized was available, not trying to
discuss it out of the group. thanks for replying.

 

[TC]

That whole idea does not make sense to me.

Say admin Fred logs-on with his own password. All subsequent actions
under that login, can be audited, by Windows security polices, to Fred
personally. If admin Jane logs on, all subsequent actions are audited
to Jane persnally, and so on.

But if Fred & Jane log-on in some joint fashion, how do you know which
individual did which audited actions? A file is deleted under the
Fred-and-Jane logon, but both of them deny having done so ... There is
no apparent way to hold either individual responsible for that deleted
file.

In other words, in my opinion, this suggestion *halves* your security -
it does not double it!

HTH,
TC

 

[Guest]

but if both people are trusted and accountable it means no single person can
make changes without another present. only collusion could be a problem then.

 

[david epsom dot com dot au]

i was just hoping to get notifiied in

Google will watch newsgroups and send you e-mails.
(I would not recommend posting at google, because they
seem to have a bad link to microsoft.public)

(david)

 

[TC]

Not so. Fred-and-Jane log on. Fred goes to the can. Jane quickly
deletes the file. Later, they both deny having deleted any files.
Result: no-one can be held accountable. Where is the collusion there?

I feel you are not considering what will happen with this scheme in a
"real world" context. It will inevitably reduce your level of security,
IMHO.

HTH,
TC

 

[TC]

Further to this, I was just reading the blog of an MS employee who
conducts security audits. He used the acronym "STRIDE", standing for
Spoofing, Tampering, Repudiation,
Information disclosure, Denial of service, and Elevation of privilege,
to describe the threats that he was concerned with.

He said:

<quote>
"Repudiation" is a little-used term but it basically means "claiming
you didn't do something that you actually did." You have a repudiation
vulnerability if it's possible for somebody to perform an action in
your system in such a way that you have no way of proving they did it.
This allows people (including authorised people -- "the good guys") to
perform malicious actions with impunity because there is no way for
them to get caught.
</quote>

That is exactly my concern with your scheme. With a Tom-and-Jane logon,
there is no way to know which of them did something. They don't need to
collude; one of them just needs to be absent for a few momnents - in
the can, getting a coffee, or any of a hundred other "real world"
reasons for stepping away.

HTH,
TC

 

[TC]

Posting from google works fine for me

TC

 

[Guest]

While I appreciate and agree about your analysis of the security weaknesses
in the scheme, my original question, which has still not been answered, is
"IS IT POSSIBLE to set up a login screen REQUIRING TWO PASSWORDS". We have a
customer which is local GOVERNMENT entity which is REQUIRING THIS. It
doesnt matter about any of the security weaknesses inherent in this scheme.
This is a government customer with cash on the table asking us, a solution
provider, to implement this SPECIFIC SYSTEM for them.

That said- is it possible to do this, and if so are there any 1st or 3rd
party products which could enable us to do so? Thanks.

 

[Joan Wild]

I hate to tell you this, but this is a newsgroup about security in Access.
Since your question is about Windows, I suggest you post it in a Windows
newsgroup.

 

[david epsom dot com dot au]

Posting from google works fine for me

TC

This message I posted to Google never showed up on the MS server:
http://groups.google.com.au/group/microsoft.public.isa.clients/search?q=wpad&start=10&hl=en&

-which may be why it never attracted any replies.

Posting to Google because I couldn't get NNTP through the firewall.
Fortunately, after re-installing everything, I am back up again.

(david)

 

[Chris Mills]

my original question, which has still not been answered, is

"IS IT POSSIBLE to set up a login screen REQUIRING TWO PASSWORDS".

Well then, I went into Altavista and typed "Two Passwords".

http://www.pcworld.com/howto/article/0,aid,116989,00.asp
note it says:
"Microsoft recently announced that it will build support for RSA SecurID into
every Windows machine."

http://www.msfn.org/board/index.php?showtopic=17191
Answer: No

http://www.annoyances.org/exec/forum/winxp/t1067984330
Answer: Yes. On VAX/VMS!

http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=3844&pg=3
Answer: with NT LAN Manager password can be split in two...

The first 2 pages of thousands was enough for me. I imagine the local
government put out an RFP for proposals by companies experienced in the
requirements...

Of course, I go through a two-password system "every day". Whenever I visit a
medium to large site, I can't log onto their machines, they have to do it for
me. Then, when I get into my Access software for administrative reasons (ie
bugs in it), THEY have to go away....

Chris

 

[Chris Mills]

thinking of WAR GAMES...it is not uncommon for "local government" to have a
"preferred supplier", yet they must put out a public RFP. The way they do it
(and I'd do it if a beurocrat!) is to put out an impossible RFP. That way,
they can reject any proposal and choose what they say is the "best fit
overall". It's just the way the process works.

Windows Server does what it does.
Chris

 

[TC]

Yes, I knew it was a government agency requiring you to do it this way.

I used my magic powers of E.S.P.

TC

 

[TC]

Ah, that rings a bell.

From time to time I notice answers to questions, where I can see the

answer, but not the question. I did some research on this, and it
turned out to be questions from the MSDN(?) community interface - which
I had never known about, before that. Questions from that interface,
did not seem to show up in google (but the answers did).

Cheers,
TC

 

[Chris Mills]

Extra Secondary Password?

 

[TC]

Nicely put!

TC