10-27-2014 06:57 PM
We have recently determined that allowing OnBase authentication is too much of a security risk for even our system administrator to have and need feedback for best practices to address this issue. Our sys admin can use OnBase authentication to login as a user and it appears the audit trail does not distinguish between NT authentication and OnBase authentication. Therefore, it allows the sys admin to perform tasks as the individual. So, I need help answering the following questions:
(1) Can we turn off OnBase authentication? If so, what admin functionality will be lost if we do?
(2) If we cannot turn off OnBase authentication or choose not to, does the audit trail differentiate between NT and OnBase activity?
Thanks in advance.
10-28-2014 12:16 PM
In addition, SCR: #204441 was created to add logging to the Security log detailing which authentication method was used to allow a user access to the system.
10-28-2014 10:37 AM
I'm glad Shane found an SCR for this, it would be a nice feature... but Eric, I'm curious, is the issue that your OnBase sys admin is "posing" as someone to do something? If you force network security, what would stop him from getting a LAN pasword and doing the same, i.e., logging in as someone else? If that's the case, your bigger issue is not the OnBase authentication method.
10-31-2014 07:04 PM
Thank you for all the responses.
Jose, this is completely about the ability the sys admin has and not what he has or hasn't done. But yes, this question stemmed from the discovery that he COULD login as someone else, perform a task as that person, and we have no ability to audit or prove that it was the sys admin that performed the task.
We have considered having our security team change the passwords to something only they knew, but it is our understanding that the sys admin could change it back to whatever he wants without an audit record showing the change, which complete negates the effort by the security team.
I am curious if anyone feels this level of access by the sys admin is a risk or common practice.
11-01-2014 11:38 AM
Eric, I'm quite sure the act of changing a user's password is logged in the database.
11-05-2014 07:01 AM
It is. You can query the transaction logs through the client or report services... or sql of course. It will tell you who, when and what user's pw was changed.
The original question has to do with, as I understand it now, best security practices. And that can be a long discussion.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.