Easy pre-populate machine name in the form #108
Comments
|
Hi @Nuffnorm This is a potentially dangerous option to have. I'll let Ryan comment on this though. I'd however suggest you not permit this behaviour even if the feature existed. There's a trade off between security and convenience. |
|
Jaysn is right, it could inadvertently open up 'misuse' scenarios, however rate limits could prevent this from being a problem. I'll have a think about how to implement it. I might be able to do it in a way that allows this feature to be turned 'on' where the organization has assessed the risk profile itself. |
|
Hi Ryan and Jaysn,
I can see that you’re 100% right about the negative usage scenarios – and this is a poor idea!
Any thoughts on our use-case? Any better way of doing it?
Our use case is: We have a set of users who need occasional admin access on their PCs. We wish them to work normally with lower priv.d users (their basic accounts). If they need to look up their admin password, Lithnet/AMS will show it to them, but also automatically changes that password x minutes later. These users will forget their machine names though, and/or type it wrongly so we hoped to give them something to pre-populate it. Any ideas?
Is it possible to associate a user with one or more PCs (which they own) and the admin passwords for all x are shown? (That doesn’t feel tremendously secure either, of course!).
Thanks for your thoughts!
From: Ryan Newington ***@***.***>
Sent: 02 July 2021 22:15
To: lithnet/access-manager ***@***.***>
Cc: Mark D. P. Norman ***@***.***>; Mention ***@***.***>
Subject: Re: [lithnet/access-manager] Easy pre-populate machine name in the form (#108)
Jaysn is right, it could inadvertently open up 'misuse' scenarios, however rate limits could prevent this from being a problem.
I'll have a think about how to implement it. I might be able to do it in a way that allows this feature to be turned 'on' where the organization has assessed the risk profile itself.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#108 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AUWQDU6Z6HQZ7LU7JWHV4FTTVYT3ZANCNFSM47WT32HQ>.
|
|
I think we can do this, it's just a matter of making sure the rate limit settings are appropriate, so that people don't take advantage of it in unintended ways. At the end of the day, AMS is about protecting organizations from bad guys - not from yourselves. So this is something you'd deal with and assess the risk of internally. It would be nice for the product to have a 'my computers' page where they could have shortcuts to the computers per-identified as theirs. Or maybe the ability for people to just mark computers as 'favorites' and show them on a dashboard/landing page |
We had the same problem here and I initially thought of your solution. Pre-filled computer names or BGInfo. However (thankfully) management was like "oh, you want admin rights? You need them to do your work? You don't want to stress out over the weekend because this is preventing you from getting admin rights to install a needed software? Then remember your damn computer name when helpdesk provides it the first time." Paraphrasing of course, but cmon users. Write the computer name down or just look through your emails... favorite it... pin it... it's not too much to ask. just my 2 cents. This is one of those cases where I think policy would solve this issue rather neatly instead of a new technical solution. |
We'd like to give some of our users easy URL shortcuts to look up their admin passwords. So it would be good to be able to send it something like: https://access.url.com/Computer/AccessRequest/?ComputerName=my-desktop
I'm not an HTML expert but I think the source has " value="" " in the attributes for the field which may stop this from working (and then I'm not sure of the URL syntax anyway!)
Hope this is an easy one!
The text was updated successfully, but these errors were encountered: