1 Reply Latest reply on Oct 10, 2012 2:12 PM by SafeBoot

    Non-Domain Password still allows SSO

    awbattelle

      Our security dept sees this scenario as a possible issue.

       

      Our Encryption policy is set to enable SSO, Must Match User name, and Synchronize EEPC password with Windows.

      We currently don't set password rules, because the intent is to use the AD domain password which already has restrictions.

       

      So the user boots up to the PBE, and decides to change his/her password to other than their current domain password. They use this new password, and, I would expect, since it is now different than thier domain password, that SSO would fail. It does not, the user goes right into the desktop with access to all AD resources without ever having to enter thier domain password!

       

      I think you can see why this might be cause for concern. To make matters worse, this "new" non-AD password the user has created, gets stored in EPO, and is now available at ANY Encrypted PC the user is authorized at.

       

      Is there a way to defeat this? Apparently, if you change your password in Windows, it synchronizes with EPO but not the other way around. If only there as an option to remove the Change Password option at the PBE, (except for the recovery process odf course).

       

      What is the solution to this delema?