No Unencrypted Authentication Guidelines

On This Page

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices.  The recommendations below are provided as optional guidance to assist with achieving the No Unencrypted Authentication requirement.

Requirement

All network-based authentication must be strongly encrypted.

In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

Traffic for one-time password authentication systems (e.g., S/Key, OPIE, SecureID) is exempted from this encryption requirement, because its exposure does not compromise the integrity of the underlying authentication system.

Anonymous FTP servers or other services where authentication credentials are requested but not used are also exempt from this requirement.

Background and description of risk

Unencrypted authentication exchanges present the possibility that credentials can be intercepted by attackers and used to gain authenticated access to the system.

Recommendations

Legacy Windows Authentication

Eliminate use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos. See http://en.wikipedia.org/wiki/NTLM.

Use of encryption for email authentication

Follow the instructions at https://calmail.berkeley.edu/docs/client.html to configure email clients to use encrypted authentication with CalMail.

Replacing services with their encrypted equivalent

Replace FTP with scp, sftp or ftps. Replace telnet with ssh. After replacing services with weak or unencrypted authentication with their secure equivalents, disable and if possible remove the replaced services.