ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Domain Trust, VPN, Remote workers

    IT Discussion
    6
    11
    294
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBusch
      JaredBusch last edited by

      I had a place years ago that had set the machine time to something like 180 days for tech laptops that were always in the field. It seemed to work well enough.

      1 Reply Last reply Reply Quote 0
      • Kelly
        Kelly last edited by

        Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.

        JaredBusch scottalanmiller 2 Replies Last reply Reply Quote 0
        • JaredBusch
          JaredBusch @Kelly last edited by

          @Kelly said in Domain Trust, VPN, Remote workers:

          Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.

          Me either. It simply lets the kerberos tickets last longer to my understanding.

          1 Reply Last reply Reply Quote 2
          • dbeato
            dbeato last edited by

            I would do what @JaredBusch is recommending, I know companies that had the 90 days password expiration policy have changed it to completely disable it or extend it. I think that is what the server administrators are thinking in the sense of "Security"

            scottalanmiller 1 Reply Last reply Reply Quote 0
            • brandon220
              brandon220 last edited by brandon220

              Can confirm this method works. Did the same thing at my last job. The field guys traveled all over the world and did not always have access to internet - especially when they were offshore. They still needed access to their laptops for reporting. Never had a issue with them not being able to log in.

              1 Reply Last reply Reply Quote 0
              • scottalanmiller
                scottalanmiller @Kelly last edited by

                @Kelly said in Domain Trust, VPN, Remote workers:

                For the short term are there any concerns that you all would have about changing (assuming we can, haven't dug in that far yet) the expiration of the machine account/password?

                We keep this long anyway to discourage bad, short, or repeating passwords. So that kind of stuff would rarely be seen as an issue, anyway.

                1 Reply Last reply Reply Quote 0
                • scottalanmiller
                  scottalanmiller @Kelly last edited by

                  @Kelly said in Domain Trust, VPN, Remote workers:

                  Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.

                  Point them to NIST and just standard security knowledge. If they balk at 180 days, ask them why they are pushing for less secure when it also makes it more complicated. In the "real world", short expiration times are considered a security risk outside of when used for security professionals and specialists that can be specifically trained to handle quickly changing passwords and are responsible for the risks.

                  1 Reply Last reply Reply Quote 1
                  • scottalanmiller
                    scottalanmiller @dbeato last edited by

                    @dbeato said in Domain Trust, VPN, Remote workers:

                    I would do what @JaredBusch is recommending, I know companies that had the 90 days password expiration policy have changed it to completely disable it or extend it. I think that is what the server administrators are thinking in the sense of "Security"

                    That would be my guess. It's exposing that they are hung up on old myths that were always myths, but now fall under "well known to have been myths."

                    1 Reply Last reply Reply Quote 1
                    • JaredBusch
                      JaredBusch last edited by

                      I was referencing only the machine account expiration stuff.

                      1 Reply Last reply Reply Quote 1
                      • IRJ
                        IRJ last edited by

                        The only risk here is having a laptop stolen and giving the attacker more time to try to breach a system with cached credentials.

                        You can mitigate that by using bit locker and requiring MFA on all important accounts (should be the standard anyway).

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post