Re: Funny - any comments?

From: Martin Schmid (martinschmid_at_sbcglobal.net.nospam)
Date: 12/13/03


Date: Sat, 13 Dec 2003 09:00:09 -0600

The actual issue is the Exchange email server is in one Windows domain, and
our office is in another Windows domain - so the passwords must be sync'd;
however, isn't there a cleaner way to do this, i.e. through a proper trust,
or proper Exchange configuration? I.e., have the user login to each domain,
and make sure they set the passwords to the same thing? Then, the passwords
are never shared with any other person (i.e. per the policy).

My opinion is that the passwords shouldn't be shared, especially when it is
not absolutely necessary, and it's not in this instance - I found a
work-around.

The last office I worked in, they kept a list in case they had to get on the
user's machine to make any changes. However, typically these changes could
be made w/ an admin account. If absolutely necessary, the admin could
change the user's password anyway; but of course the admin would have to
tell the user what it was changed to, and have the user change it on first
log-in. However, I see this as respect, proper communication, and
professionalism - the user should be made aware of why the admin had to get
on the machine anyway. It comes down to accountability - granted you should
trust your admin, but the admin should also be competant and implement
solutions that don't interfere with their own policies! If they aren't able
to do this, the admin is just as much a sercuity issue as all the
un-informed, and under-informed users!

-- 
Thanks,
Martin Schmid, EIT, CCSA, MCDBA, MCSE
"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:%23mQXH6UwDHA.3116@tk2msftngp13.phx.gbl...
> This is quite common and you are exactly right -- many corporate
> networks are a jumble of incompatible systems and add-ons. A user has a
> Windows password to logon to their desktop and/or domain, they may have
> a Netware password, they have a password to a third-party email server,
> and they have a password to the Internet proxy. None of these systems
> are connected and so the IS people are the only ones who can manage
> password changes.
>
> There is no point in trying to do what Robert recommends. The implied
> policy is that the IT department is the master keeper of the network
> application passwords. You can and must give passwords to the IT staff,
> but to no one else, and you can only do it in a phone call or in person.
> The only password the users can change is the Windows password and that
> is only because you can't really stop them. :-)
>
> It really isn't that much different than if the IT department bought
> some app or developed some web site where users could enter their
> password changes and the app would sync all the passwords automatically.
> IT staff would still have access to the database of passwords -- 
> management would insist on it. Of course, it might be better to have a
> system where passwords can only be changed by IT staff, but IT staff
> usually has access to all the data anyway.
>
> Bottom line -- if you can't trust IT and your janitor, you are really
> out of luck.
>
> -- 
> Kent W. England, Microsoft MVP for Windows Security
>
>
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:OaVxRrRwDHA.3144@tk2msftngp13.phx.gbl...
> > I don't think so--I think he's got a mailserver running some system
> which
> > has no method of synching passwords with the rest of the network, and
> no
> > method for the user to make the change themselves.  Ugly, but quite
> > possible--and I agree wth Robert Moir about "correct" responses, given
> the
> > policy!
> >
> >
> > "Chris Knapp" <dont@spam.me> wrote in message
> > news:uVIPIfQwDHA.1744@TK2MSFTNGP12.phx.gbl...
> > > Sounds like the boss is forcing him to maintain a list of passwords.
> My
> > old
> > > computer illiterate boss used to ask for this too. . . (Not that he
> could
> > > even figure out how to login as someone other than himself. . .) I'm
> not
> > > bitter. ;-)
> > >
> > >
> > > "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in message
> > > news:uMG3IzOwDHA.1196@TK2MSFTNGP12.phx.gbl...
> > > > I just received this message from my IS staff person--- note that
> this
> > was
> > > > ust a few minutes after receiving the new 'Password Policy' below.
> Any
> > > > comments are welcome!
> > > >
> > > > -- 
> > > > Thanks,
> > > > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> > > >
> > > > -----
> > > >
> > > > Message recevied about 11:45am today
> > > >
> > > > The easiest way to change your password is by hitting CTRL-ALT-DEL
> at
> > the
> > > > same time and press the change password button.
> > > >
> > > >
> > > >
> > > > However, everyone in XYZ-2 office will have to let me know (over
> the
> > phone
> > > > only) what their new password is, otherwise they will not be able
> to
> > > access
> > > > their e-mail from the XYZ mail server. So, I will be calling the
> XYZ-2
> > > > office this afternoon and will talk to everyone, and will change
> their
> > > > passwords here as well.
> > > >
> > > >
> > > > ----
> > > > Policy received about 11:30 am today.
> > > >
> > > > Password Policy
> > > >
> > > > Overview
> > > >
> > > > Passwords are an important aspect of computer security. They are
> the
> > front
> > > > line of protection for user accounts. A poorly chosen password may
> > result
> > > in
> > > > the compromise of XYZ's entire corporate network. As such, all XYZ
> > > employees
> > > > (including contractors and vendors with access to XYZ systems) are
> > > > responsible for taking the appropriate steps, as outlined below,
> to
> > select
> > > > and secure their passwords.
> > > >
> > > >
> > > >
> > > > Policy
> > > >
> > > > The purpose of this policy is to establish a standard for creation
> of
> > > strong
> > > > passwords, the protection of those passwords, and the frequency of
> > change.
> > > > This policy includes all personnel who have or are responsible for
> an
> > > > account (or any for of access that supports or requires a
> password) on
> > any
> > > > system that resides at any XYZ facility, has access to the XYZ
> network,
> > or
> > > > stores any non-public XYZ information.
> > > >
> > > >
> > > >
> > > > General
> > > >
> > > >          All user-level passwords must be changed every four
> months
> > (you
> > > > will be prompted each time your password has expired).
> > > >
> > > >          Passwords must not be inserted into email messages or
> other
> > > forms
> > > > of electronic communication.
> > > >
> > > >          All user-level and system-level passwords must conform
> to the
> > > > guidelines described below.
> > > >
> > > >
> > > >
> > > > Guidelines
> > > >
> > > > General Password Construction Guidelines
> > > >
> > > > Passwords are used for various purposes at XYZ. Some of the more
> common
> > > uses
> > > > include: network/PC login, Wind2, and voicemail.
> > > >
> > > >
> > > >
> > > > Poor, weak passwords have the following characteristics:
> > > >
> > > >          The password contains less than six characters
> > > >
> > > >          The password is a word found in the dictionary (English
> or
> > > > foreign)
> > > >
> > > >          The password is a common usage word such as:
> > > >
> > > > o        Names of family, pets, friends, co-workers, fantasy
> characters,
> > > > etc.
> > > >
> > > > o        Computer terms and names, commands, sites, companies,
> hardware,
> > > > software.
> > > >
> > > > o        The words "XYZ", "Dallas", "LosAngeles", "password" or
> any
> > > > derivation.
> > > >
> > > > o        Birthdays and other personal information such as
> addresses and
> > > > phone numbers.
> > > >
> > > > o        UserID (i.e. if the login ID is "Jonathan" the password
> should
> > > not
> > > > be "Jonathan")
> > > >
> > > > o        Word or number patterns like aaabbb, qwerty, zyxwvuts,
> 123321,
> > > etc.
> > > >
> > > > o        Any of the above spelled backwards.
> > > >
> > > > o        Any of the above preceded or followed by a digit (e.g.,
> > > password1,
> > > > 1password)
> > > >
> > > >
> > > >
> > > > Strong passwords have the following characteristics:
> > > >
> > > >          Contain both upper and lower case characters (e.g., a-z,
> A-Z)
> > > >
> > > >          Have digits and punctuation characters as well as
> letters
> > (e.g.,
> > > > 0-9, !@#$%^&*()_+|~-=\'{}[]:";`<>?,./ )
> > > >
> > > >          Are at least eight alphanumeric characters long
> > > >
> > > >          Is not a word in any language, slang, dialect, jargon,
> etc
> > > >
> > > >          Are not based on personal information, names of family,
> etc.
> > > >
> > > >          Passwords should never be written down or stored
> on-line. Try
> > to
> > > > create passwords that can be easily remembered. One way to do this
> is
> > > create
> > > > a password based on a song title, affirmation, or other phrase.
> For
> > > example,
> > > > the phrase might be: "This May Be One Way to Remember" and the
> password
> > > > could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Also
> you can
> > > use
> > > > special characters or numbers to replace letters in a word, for
> example
> > > the
> > > > word is "computer" and the password could be: "C0mp*t3r" or
> "c*mp@ter".
> > > >
> > > > NOTE: Do not use any of the above examples as passwords!
> > > >
> > > >
> > > >
> > > > Password Protection Standards
> > > >
> > > > Do not use the same password for XYZ accounts as for other non-XYZ
> > access
> > > > (e.g. personal ISP or at home internet accounts, benefits,
> personal
> > (yahoo
> > > > or hotmail) e-mail accounts, etc.).
> > > >
> > > >
> > > >
> > > > Do not share XYZ passwords with anyone, including administrative
> > > assistants
> > > > or secretaries. All passwords are to be treated as sensitive,
> > confidential
> > > > XYZ information.
> > > >
> > > >          Don't reveal a password in an email message
> > > >
> > > >          Don't talk about a password in front of others
> > > >
> > > >          Don't hint at the format of a password (e.g., "my
> favorite
> > song
> > > > title")
> > > >
> > > >          Don't reveal a password on questionnaires
> > > >
> > > >          Don't share a password with family members
> > > >
> > > >
> > > >
> > > > If someone demands a password, refer them to this document or have
> them
> > > call
> > > > the IS department.
> > > >
> > > >
> > > >
> > > > Never use the "Remember My Password" feature of applications
> (e.g.,
> > > Eudora,
> > > > IM, Yahoo, etc.). This is very un-secure as it saves the password
> to
> > your
> > > > computer (or sometimes on the internet!)
> > > >
> > > >
> > > >
> > > > Again, do not write passwords down and store them anywhere in your
> > office.
> > > > Do not store passwords in a file on ANY computer systems
> (including Palm
> > > > Pilots or similar devices) without encryption.
> > > >
> > > >
> > > >
> > > > Change passwords at least once every four months.
> > > >
> > > >
> > > >
> > > > If an account or password is suspected to have been compromised,
> report
> > > the
> > > > incident to the IS department, and change all passwords.
> > > >
> > > >
> > > >
> > > > Password cracking or guessing may be performed on a periodic or
> random
> > > basis
> > > > by the IS department. If a password is guessed or cracked during
> on of
> > > these
> > > > scans, the user will be required to change it.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>


Relevant Pages

  • Re: getting rid of reset disc
    ... Assign all new passwords to all accounts and password protect your BIOS. ... Go through this list and secure your PC. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Attack From Registry Cleaner
    ... MS-MVP Windows Shell/User ... >> why you should understand and utilize good passwords. ... >> Why you should use a computer firewall.. ... >> The system restore feature is a new one - first appearing in Windows ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: i hate HACKERS
    ... > If english is not your native language, might I suggest one more suited to ... > - Have you regularly changed your passwords and made sure they are strong ... > I'll mainly work around Windows XP, as that is what the bulk of this ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Destroy, Corrupt, Permanently Delete Remote Instructions, please.
    ... > and notebooks) running Windows XP Pro and Windows 98SE. ... > internet and undoubtedly, collecting all available information. ... If you were to do everything on this list of TIPS and have a firewall router ... your computer and change all of your passwords to something ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: How to set up a secure XP windows home edition w/service pack
    ... and Windows is not allowed for security cleared research. ... > your computer online - meaning you likely have usernames and passwords ... > Why you should use a computer firewall.. ... > The system restore feature is a new one - first appearing in Windows ...
    (microsoft.public.windowsxp.setup_deployment)