What are the pros and cons of using stand-alone authentication that is not Active Directory-based?
Password managment tools other than Active Directory are available, though they may not be the best access control coordinators.
Tools such as Group Policy Objects (GPO) in Active Directory make it easy to enforce consistent authentication polices for all members of the Active Directory domain.
In addition, directory services have centralized reporting features for auditing user activity and for producing access management reports required for compliance with regulations like the Sarbanes-Oxley Act (SOX).
Another nice feature of directory services is they can mesh with two-factor authentication systems – one-time password (OTP) tokens, smart cards and biometrics. For stand-alone systems, such configuration would have to be done on each individual workstation.
Using stand-alone authentication systems makes it harder to centralize access management across an organization. It can lead to inconsistent access management policies on different workstations in a network, which would be chaotic in a large company with many users. It would also make tracking users and their access -- and removing stale accounts -- quite difficult.
The only advantage to standalone authentication systems would be if there were only a few desktops or workstations, as in a small company, or for specialized access that needs to be segregated from the rest of the network. A possible scenario would be a workstation dedicated to high-risk transactions or for unique access to an external network.
Unless the cost of Active Directory is prohibitive because of the size of your business, standalone setups aren't recommended.
More information:
- Which is more secure: card space or user IDs and passwords? Read more.
- Joel Dubin makes complex password requirements simple.