Re: Funny - any comments?

From: Kent W. England [MVP] (kwe_at_mvps.org)
Date: 12/14/03


Date: Sat, 13 Dec 2003 18:23:08 -0800

This is all well and good, but you didn't mention any of these details
in your original post, so what's the point? Of course, if you have
technical solutions that don't require IT staff to know passwords, that
is better than a slapped together system where IT staff simply must know
passwords. The point of my post is that a patchwork system is far from
rare, which goes to the point of your original question.

-- 
Kent W. England, Microsoft MVP for Windows Security
"Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in message
news:%23BgqUnYwDHA.2308@TK2MSFTNGP11.phx.gbl...
> The actual issue is the Exchange email server is in one Windows
domain, and
> our office is in another Windows domain - so the passwords must be
sync'd;
> however, isn't there a cleaner way to do this, i.e. through a proper
trust,
> or proper Exchange configuration?  I.e., have the user login to each
domain,
> and make sure they set the passwords to the same thing?  Then, the
passwords
> are never shared with any other person (i.e. per the policy).
>
> My opinion is that the passwords shouldn't be shared, especially when
it is
> not absolutely necessary, and it's not in this instance - I found a
> work-around.
>
> The last office I worked in, they kept a list in case they had to get
on the
> user's machine to make any changes.  However, typically these changes
could
> be made w/ an admin account.  If absolutely necessary, the admin could
> change the user's password anyway; but of course the admin would have
to
> tell the user what it was changed to, and have the user change it on
first
> log-in.  However, I see this as respect, proper communication, and
> professionalism - the user should be made aware of why the admin had
to get
> on the machine anyway.  It comes down to accountability - granted you
should
> trust your admin, but the admin should also be competant and implement
> solutions that don't interfere with their own policies!  If they
aren't able
> to do this, the admin is just as much a sercuity issue as all the
> un-informed, and under-informed users!
>
>
> -- 
> Thanks,
> Martin Schmid, EIT, CCSA, MCDBA, MCSE
>
>
> "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> news:%23mQXH6UwDHA.3116@tk2msftngp13.phx.gbl...
> > This is quite common and you are exactly right -- many corporate
> > networks are a jumble of incompatible systems and add-ons. A user
has a
> > Windows password to logon to their desktop and/or domain, they may
have
> > a Netware password, they have a password to a third-party email
server,
> > and they have a password to the Internet proxy. None of these
systems
> > are connected and so the IS people are the only ones who can manage
> > password changes.
> >
> > There is no point in trying to do what Robert recommends. The
implied
> > policy is that the IT department is the master keeper of the network
> > application passwords. You can and must give passwords to the IT
staff,
> > but to no one else, and you can only do it in a phone call or in
person.
> > The only password the users can change is the Windows password and
that
> > is only because you can't really stop them. :-)
> >
> > It really isn't that much different than if the IT department bought
> > some app or developed some web site where users could enter their
> > password changes and the app would sync all the passwords
automatically.
> > IT staff would still have access to the database of passwords -- 
> > management would insist on it. Of course, it might be better to have
a
> > system where passwords can only be changed by IT staff, but IT staff
> > usually has access to all the data anyway.
> >
> > Bottom line -- if you can't trust IT and your janitor, you are
really
> > out of luck.
> >
> > -- 
> > Kent W. England, Microsoft MVP for Windows Security
> >
> >
> >
> > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> > news:OaVxRrRwDHA.3144@tk2msftngp13.phx.gbl...
> > > I don't think so--I think he's got a mailserver running some
system
> > which
> > > has no method of synching passwords with the rest of the network,
and
> > no
> > > method for the user to make the change themselves.  Ugly, but
quite
> > > possible--and I agree wth Robert Moir about "correct" responses,
given
> > the
> > > policy!
> > >
> > >
> > > "Chris Knapp" <dont@spam.me> wrote in message
> > > news:uVIPIfQwDHA.1744@TK2MSFTNGP12.phx.gbl...
> > > > Sounds like the boss is forcing him to maintain a list of
passwords.
> > My
> > > old
> > > > computer illiterate boss used to ask for this too. . . (Not that
he
> > could
> > > > even figure out how to login as someone other than himself. . .)
I'm
> > not
> > > > bitter. ;-)
> > > >
> > > >
> > > > "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in
message
> > > > news:uMG3IzOwDHA.1196@TK2MSFTNGP12.phx.gbl...
> > > > > I just received this message from my IS staff person--- note
that
> > this
> > > was
> > > > > ust a few minutes after receiving the new 'Password Policy'
below.
> > Any
> > > > > comments are welcome!
> > > > >
> > > > > -- 
> > > > > Thanks,
> > > > > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> > > > >
> > > > > -----
> > > > >
> > > > > Message recevied about 11:45am today
> > > > >
> > > > > The easiest way to change your password is by hitting
CTRL-ALT-DEL
> > at
> > > the
> > > > > same time and press the change password button.
> > > > >
> > > > >
> > > > >
> > > > > However, everyone in XYZ-2 office will have to let me know
(over
> > the
> > > phone
> > > > > only) what their new password is, otherwise they will not be
able
> > to
> > > > access
> > > > > their e-mail from the XYZ mail server. So, I will be calling
the
> > XYZ-2
> > > > > office this afternoon and will talk to everyone, and will
change
> > their
> > > > > passwords here as well.
> > > > >
> > > > >
> > > > > ----
> > > > > Policy received about 11:30 am today.
> > > > >
> > > > > Password Policy
> > > > >
> > > > > Overview
> > > > >
> > > > > Passwords are an important aspect of computer security. They
are
> > the
> > > front
> > > > > line of protection for user accounts. A poorly chosen password
may
> > > result
> > > > in
> > > > > the compromise of XYZ's entire corporate network. As such, all
XYZ
> > > > employees
> > > > > (including contractors and vendors with access to XYZ systems)
are
> > > > > responsible for taking the appropriate steps, as outlined
below,
> > to
> > > select
> > > > > and secure their passwords.
> > > > >
> > > > >
> > > > >
> > > > > Policy
> > > > >
> > > > > The purpose of this policy is to establish a standard for
creation
> > of
> > > > strong
> > > > > passwords, the protection of those passwords, and the
frequency of
> > > change.
> > > > > This policy includes all personnel who have or are responsible
for
> > an
> > > > > account (or any for of access that supports or requires a
> > password) on
> > > any
> > > > > system that resides at any XYZ facility, has access to the XYZ
> > network,
> > > or
> > > > > stores any non-public XYZ information.
> > > > >
> > > > >
> > > > >
> > > > > General
> > > > >
> > > > >          All user-level passwords must be changed every four
> > months
> > > (you
> > > > > will be prompted each time your password has expired).
> > > > >
> > > > >          Passwords must not be inserted into email messages
or
> > other
> > > > forms
> > > > > of electronic communication.
> > > > >
> > > > >          All user-level and system-level passwords must
conform
> > to the
> > > > > guidelines described below.
> > > > >
> > > > >
> > > > >
> > > > > Guidelines
> > > > >
> > > > > General Password Construction Guidelines
> > > > >
> > > > > Passwords are used for various purposes at XYZ. Some of the
more
> > common
> > > > uses
> > > > > include: network/PC login, Wind2, and voicemail.
> > > > >
> > > > >
> > > > >
> > > > > Poor, weak passwords have the following characteristics:
> > > > >
> > > > >          The password contains less than six characters
> > > > >
> > > > >          The password is a word found in the dictionary
(English
> > or
> > > > > foreign)
> > > > >
> > > > >          The password is a common usage word such as:
> > > > >
> > > > > o        Names of family, pets, friends, co-workers, fantasy
> > characters,
> > > > > etc.
> > > > >
> > > > > o        Computer terms and names, commands, sites, companies,
> > hardware,
> > > > > software.
> > > > >
> > > > > o        The words "XYZ", "Dallas", "LosAngeles", "password"
or
> > any
> > > > > derivation.
> > > > >
> > > > > o        Birthdays and other personal information such as
> > addresses and
> > > > > phone numbers.
> > > > >
> > > > > o        UserID (i.e. if the login ID is "Jonathan" the
password
> > should
> > > > not
> > > > > be "Jonathan")
> > > > >
> > > > > o        Word or number patterns like aaabbb, qwerty,
zyxwvuts,
> > 123321,
> > > > etc.
> > > > >
> > > > > o        Any of the above spelled backwards.
> > > > >
> > > > > o        Any of the above preceded or followed by a digit
(e.g.,
> > > > password1,
> > > > > 1password)
> > > > >
> > > > >
> > > > >
> > > > > Strong passwords have the following characteristics:
> > > > >
> > > > >          Contain both upper and lower case characters (e.g.,
a-z,
> > A-Z)
> > > > >
> > > > >          Have digits and punctuation characters as well as
> > letters
> > > (e.g.,
> > > > > 0-9, !@#$%^&*()_+|~-=\'{}[]:";`<>?,./ )
> > > > >
> > > > >          Are at least eight alphanumeric characters long
> > > > >
> > > > >          Is not a word in any language, slang, dialect,
jargon,
> > etc
> > > > >
> > > > >          Are not based on personal information, names of
family,
> > etc.
> > > > >
> > > > >          Passwords should never be written down or stored
> > on-line. Try
> > > to
> > > > > create passwords that can be easily remembered. One way to do
this
> > is
> > > > create
> > > > > a password based on a song title, affirmation, or other
phrase.
> > For
> > > > example,
> > > > > the phrase might be: "This May Be One Way to Remember" and the
> > password
> > > > > could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
Also
> > you can
> > > > use
> > > > > special characters or numbers to replace letters in a word,
for
> > example
> > > > the
> > > > > word is "computer" and the password could be: "C0mp*t3r" or
> > "c*mp@ter".
> > > > >
> > > > > NOTE: Do not use any of the above examples as passwords!
> > > > >
> > > > >
> > > > >
> > > > > Password Protection Standards
> > > > >
> > > > > Do not use the same password for XYZ accounts as for other
non-XYZ
> > > access
> > > > > (e.g. personal ISP or at home internet accounts, benefits,
> > personal
> > > (yahoo
> > > > > or hotmail) e-mail accounts, etc.).
> > > > >
> > > > >
> > > > >
> > > > > Do not share XYZ passwords with anyone, including
administrative
> > > > assistants
> > > > > or secretaries. All passwords are to be treated as sensitive,
> > > confidential
> > > > > XYZ information.
> > > > >
> > > > >          Don't reveal a password in an email message
> > > > >
> > > > >          Don't talk about a password in front of others
> > > > >
> > > > >          Don't hint at the format of a password (e.g., "my
> > favorite
> > > song
> > > > > title")
> > > > >
> > > > >          Don't reveal a password on questionnaires
> > > > >
> > > > >          Don't share a password with family members
> > > > >
> > > > >
> > > > >
> > > > > If someone demands a password, refer them to this document or
have
> > them
> > > > call
> > > > > the IS department.
> > > > >
> > > > >
> > > > >
> > > > > Never use the "Remember My Password" feature of applications
> > (e.g.,
> > > > Eudora,
> > > > > IM, Yahoo, etc.). This is very un-secure as it saves the
password
> > to
> > > your
> > > > > computer (or sometimes on the internet!)
> > > > >
> > > > >
> > > > >
> > > > > Again, do not write passwords down and store them anywhere in
your
> > > office.
> > > > > Do not store passwords in a file on ANY computer systems
> > (including Palm
> > > > > Pilots or similar devices) without encryption.
> > > > >
> > > > >
> > > > >
> > > > > Change passwords at least once every four months.
> > > > >
> > > > >
> > > > >
> > > > > If an account or password is suspected to have been
compromised,
> > report
> > > > the
> > > > > incident to the IS department, and change all passwords.
> > > > >
> > > > >
> > > > >
> > > > > Password cracking or guessing may be performed on a periodic
or
> > random
> > > > basis
> > > > > by the IS department. If a password is guessed or cracked
during
> > on of
> > > > these
> > > > > scans, the user will be required to change it.
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
>
>


Relevant Pages

  • Re: Oh Dear, Where to start?!
    ... > sort of security solution? ... > use, passwords, physical security, backup/disaster ... > admin, network admin, tech support, programming, and ... Theres lots of software out there for backups. ...
    (Security-Basics)
  • RE: Securing workstations from IT guys
    ... Find the admin who is leaking the data and fire him. ... Securing workstations from IT guys ... Use encryption program to encrypt those files. ... Advise HR guys to assign passwords to their excel/word files. ...
    (Security-Basics)
  • Re: [Full-disclosure] What is the ulitmate vulnerability ?
    ... Why require passwords? ... It's trivial for a malicious user to bypass it, ... If an admin doesn't want anyone on their network, ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: Securing workstations from IT guys
    ... Change all Local Admin passwords so that even IT helpdesk/other doesn't ... Advise HR guys to assign passwords to their excel/word files. ... someone from domain admin group to be able to start C$/D$ share and browse ... incoming connections to C$ and pop up and alert whenever someone tries it ...
    (Security-Basics)
  • Re: Funny - any comments?
    ... our office is in another Windows domain - so the passwords must be sync'd; ... If absolutely necessary, the admin could ...
    (microsoft.public.security)