Re: Funny - any comments?
From: Martin Schmid (martinschmid_at_sbcglobal.net.nospam)
Date: 12/15/03
- Next message: Bill Sanderson: "Re: I cant open my email count any more:("
- Previous message: Mike Burgess: "Re: why they keep coming back?"
- In reply to: Kent W. England [MVP]: "Re: Funny - any comments?"
- Next in thread: N. Miller: "Re: Funny - any comments?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Dec 2003 08:53:31 -0600
The point of my original message was the lack of information that was
provided to management and users - I'm not an IT person (in my present
organization), and just wanted to make sure I had the the insight if I
wanted to approach management about this issue.
Thanks for your replies.
--
Thanks,
Martin Schmid, EIT, CCSA, MCDBA, MCSE
"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:%23E9FExlwDHA.3116@TK2MSFTNGP11.phx.gbl...
> This is all well and good, but you didn't mention any of these details
> in your original post, so what's the point? Of course, if you have
> technical solutions that don't require IT staff to know passwords, that
> is better than a slapped together system where IT staff simply must know
> passwords. The point of my post is that a patchwork system is far from
> rare, which goes to the point of your original question.
>
> --
> Kent W. England, Microsoft MVP for Windows Security
>
>
> "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in message
> news:%23BgqUnYwDHA.2308@TK2MSFTNGP11.phx.gbl...
> > The actual issue is the Exchange email server is in one Windows
> domain, and
> > our office is in another Windows domain - so the passwords must be
> sync'd;
> > however, isn't there a cleaner way to do this, i.e. through a proper
> trust,
> > or proper Exchange configuration? I.e., have the user login to each
> domain,
> > and make sure they set the passwords to the same thing? Then, the
> passwords
> > are never shared with any other person (i.e. per the policy).
> >
> > My opinion is that the passwords shouldn't be shared, especially when
> it is
> > not absolutely necessary, and it's not in this instance - I found a
> > work-around.
> >
> > The last office I worked in, they kept a list in case they had to get
> on the
> > user's machine to make any changes. However, typically these changes
> could
> > be made w/ an admin account. If absolutely necessary, the admin could
> > change the user's password anyway; but of course the admin would have
> to
> > tell the user what it was changed to, and have the user change it on
> first
> > log-in. However, I see this as respect, proper communication, and
> > professionalism - the user should be made aware of why the admin had
> to get
> > on the machine anyway. It comes down to accountability - granted you
> should
> > trust your admin, but the admin should also be competant and implement
> > solutions that don't interfere with their own policies! If they
> aren't able
> > to do this, the admin is just as much a sercuity issue as all the
> > un-informed, and under-informed users!
> >
> >
> > --
> > Thanks,
> > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> >
> >
> > "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> > news:%23mQXH6UwDHA.3116@tk2msftngp13.phx.gbl...
> > > This is quite common and you are exactly right -- many corporate
> > > networks are a jumble of incompatible systems and add-ons. A user
> has a
> > > Windows password to logon to their desktop and/or domain, they may
> have
> > > a Netware password, they have a password to a third-party email
> server,
> > > and they have a password to the Internet proxy. None of these
> systems
> > > are connected and so the IS people are the only ones who can manage
> > > password changes.
> > >
> > > There is no point in trying to do what Robert recommends. The
> implied
> > > policy is that the IT department is the master keeper of the network
> > > application passwords. You can and must give passwords to the IT
> staff,
> > > but to no one else, and you can only do it in a phone call or in
> person.
> > > The only password the users can change is the Windows password and
> that
> > > is only because you can't really stop them. :-)
> > >
> > > It really isn't that much different than if the IT department bought
> > > some app or developed some web site where users could enter their
> > > password changes and the app would sync all the passwords
> automatically.
> > > IT staff would still have access to the database of passwords --
> > > management would insist on it. Of course, it might be better to have
> a
> > > system where passwords can only be changed by IT staff, but IT staff
> > > usually has access to all the data anyway.
> > >
> > > Bottom line -- if you can't trust IT and your janitor, you are
> really
> > > out of luck.
> > >
> > > --
> > > Kent W. England, Microsoft MVP for Windows Security
> > >
> > >
> > >
> > > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> > > news:OaVxRrRwDHA.3144@tk2msftngp13.phx.gbl...
> > > > I don't think so--I think he's got a mailserver running some
> system
> > > which
> > > > has no method of synching passwords with the rest of the network,
> and
> > > no
> > > > method for the user to make the change themselves. Ugly, but
> quite
> > > > possible--and I agree wth Robert Moir about "correct" responses,
> given
> > > the
> > > > policy!
> > > >
> > > >
> > > > "Chris Knapp" <dont@spam.me> wrote in message
> > > > news:uVIPIfQwDHA.1744@TK2MSFTNGP12.phx.gbl...
> > > > > Sounds like the boss is forcing him to maintain a list of
> passwords.
> > > My
> > > > old
> > > > > computer illiterate boss used to ask for this too. . . (Not that
> he
> > > could
> > > > > even figure out how to login as someone other than himself. . .)
> I'm
> > > not
> > > > > bitter. ;-)
> > > > >
> > > > >
> > > > > "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in
> message
> > > > > news:uMG3IzOwDHA.1196@TK2MSFTNGP12.phx.gbl...
> > > > > > I just received this message from my IS staff person--- note
> that
> > > this
> > > > was
> > > > > > ust a few minutes after receiving the new 'Password Policy'
> below.
> > > Any
> > > > > > comments are welcome!
> > > > > >
> > > > > > --
> > > > > > Thanks,
> > > > > > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> > > > > >
> > > > > > -----
> > > > > >
> > > > > > Message recevied about 11:45am today
> > > > > >
> > > > > > The easiest way to change your password is by hitting
> CTRL-ALT-DEL
> > > at
> > > > the
> > > > > > same time and press the change password button.
> > > > > >
> > > > > >
> > > > > >
> > > > > > However, everyone in XYZ-2 office will have to let me know
> (over
> > > the
> > > > phone
> > > > > > only) what their new password is, otherwise they will not be
> able
> > > to
> > > > > access
> > > > > > their e-mail from the XYZ mail server. So, I will be calling
> the
> > > XYZ-2
> > > > > > office this afternoon and will talk to everyone, and will
> change
> > > their
> > > > > > passwords here as well.
> > > > > >
> > > > > >
> > > > > > ----
> > > > > > Policy received about 11:30 am today.
> > > > > >
> > > > > > Password Policy
> > > > > >
> > > > > > Overview
> > > > > >
> > > > > > Passwords are an important aspect of computer security. They
> are
> > > the
> > > > front
> > > > > > line of protection for user accounts. A poorly chosen password
> may
> > > > result
> > > > > in
> > > > > > the compromise of XYZ's entire corporate network. As such, all
> XYZ
> > > > > employees
> > > > > > (including contractors and vendors with access to XYZ systems)
> are
> > > > > > responsible for taking the appropriate steps, as outlined
> below,
> > > to
> > > > select
> > > > > > and secure their passwords.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Policy
> > > > > >
> > > > > > The purpose of this policy is to establish a standard for
> creation
> > > of
> > > > > strong
> > > > > > passwords, the protection of those passwords, and the
> frequency of
> > > > change.
> > > > > > This policy includes all personnel who have or are responsible
> for
> > > an
> > > > > > account (or any for of access that supports or requires a
> > > password) on
> > > > any
> > > > > > system that resides at any XYZ facility, has access to the XYZ
> > > network,
> > > > or
> > > > > > stores any non-public XYZ information.
> > > > > >
> > > > > >
> > > > > >
> > > > > > General
> > > > > >
> > > > > > · All user-level passwords must be changed every four
> > > months
> > > > (you
> > > > > > will be prompted each time your password has expired).
> > > > > >
> > > > > > · Passwords must not be inserted into email messages
> or
> > > other
> > > > > forms
> > > > > > of electronic communication.
> > > > > >
> > > > > > · All user-level and system-level passwords must
> conform
> > > to the
> > > > > > guidelines described below.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Guidelines
> > > > > >
> > > > > > General Password Construction Guidelines
> > > > > >
> > > > > > Passwords are used for various purposes at XYZ. Some of the
> more
> > > common
> > > > > uses
> > > > > > include: network/PC login, Wind2, and voicemail.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Poor, weak passwords have the following characteristics:
> > > > > >
> > > > > > · The password contains less than six characters
> > > > > >
> > > > > > · The password is a word found in the dictionary
> (English
> > > or
> > > > > > foreign)
> > > > > >
> > > > > > · The password is a common usage word such as:
> > > > > >
> > > > > > o Names of family, pets, friends, co-workers, fantasy
> > > characters,
> > > > > > etc.
> > > > > >
> > > > > > o Computer terms and names, commands, sites, companies,
> > > hardware,
> > > > > > software.
> > > > > >
> > > > > > o The words "XYZ", "Dallas", "LosAngeles", "password"
> or
> > > any
> > > > > > derivation.
> > > > > >
> > > > > > o Birthdays and other personal information such as
> > > addresses and
> > > > > > phone numbers.
> > > > > >
> > > > > > o UserID (i.e. if the login ID is "Jonathan" the
> password
> > > should
> > > > > not
> > > > > > be "Jonathan")
> > > > > >
> > > > > > o Word or number patterns like aaabbb, qwerty,
> zyxwvuts,
> > > 123321,
> > > > > etc.
> > > > > >
> > > > > > o Any of the above spelled backwards.
> > > > > >
> > > > > > o Any of the above preceded or followed by a digit
> (e.g.,
> > > > > password1,
> > > > > > 1password)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Strong passwords have the following characteristics:
> > > > > >
> > > > > > · Contain both upper and lower case characters (e.g.,
> a-z,
> > > A-Z)
> > > > > >
> > > > > > · Have digits and punctuation characters as well as
> > > letters
> > > > (e.g.,
> > > > > > 0-9, !@#$%^&*()_+|~-=\'{}[]:";`<>?,./ )
> > > > > >
> > > > > > · Are at least eight alphanumeric characters long
> > > > > >
> > > > > > · Is not a word in any language, slang, dialect,
> jargon,
> > > etc
> > > > > >
> > > > > > · Are not based on personal information, names of
> family,
> > > etc.
> > > > > >
> > > > > > · Passwords should never be written down or stored
> > > on-line. Try
> > > > to
> > > > > > create passwords that can be easily remembered. One way to do
> this
> > > is
> > > > > create
> > > > > > a password based on a song title, affirmation, or other
> phrase.
> > > For
> > > > > example,
> > > > > > the phrase might be: "This May Be One Way to Remember" and the
> > > password
> > > > > > could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
> Also
> > > you can
> > > > > use
> > > > > > special characters or numbers to replace letters in a word,
> for
> > > example
> > > > > the
> > > > > > word is "computer" and the password could be: "C0mp*t3r" or
> > > "c*mp@ter".
> > > > > >
> > > > > > NOTE: Do not use any of the above examples as passwords!
> > > > > >
> > > > > >
> > > > > >
> > > > > > Password Protection Standards
> > > > > >
> > > > > > Do not use the same password for XYZ accounts as for other
> non-XYZ
> > > > access
> > > > > > (e.g. personal ISP or at home internet accounts, benefits,
> > > personal
> > > > (yahoo
> > > > > > or hotmail) e-mail accounts, etc.).
> > > > > >
> > > > > >
> > > > > >
> > > > > > Do not share XYZ passwords with anyone, including
> administrative
> > > > > assistants
> > > > > > or secretaries. All passwords are to be treated as sensitive,
> > > > confidential
> > > > > > XYZ information.
> > > > > >
> > > > > > · Don't reveal a password in an email message
> > > > > >
> > > > > > · Don't talk about a password in front of others
> > > > > >
> > > > > > · Don't hint at the format of a password (e.g., "my
> > > favorite
> > > > song
> > > > > > title")
> > > > > >
> > > > > > · Don't reveal a password on questionnaires
> > > > > >
> > > > > > · Don't share a password with family members
> > > > > >
> > > > > >
> > > > > >
> > > > > > If someone demands a password, refer them to this document or
> have
> > > them
> > > > > call
> > > > > > the IS department.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Never use the "Remember My Password" feature of applications
> > > (e.g.,
> > > > > Eudora,
> > > > > > IM, Yahoo, etc.). This is very un-secure as it saves the
> password
> > > to
> > > > your
> > > > > > computer (or sometimes on the internet!)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Again, do not write passwords down and store them anywhere in
> your
> > > > office.
> > > > > > Do not store passwords in a file on ANY computer systems
> > > (including Palm
> > > > > > Pilots or similar devices) without encryption.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Change passwords at least once every four months.
> > > > > >
> > > > > >
> > > > > >
> > > > > > If an account or password is suspected to have been
> compromised,
> > > report
> > > > > the
> > > > > > incident to the IS department, and change all passwords.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Password cracking or guessing may be performed on a periodic
> or
> > > random
> > > > > basis
> > > > > > by the IS department. If a password is guessed or cracked
> during
> > > on of
> > > > > these
> > > > > > scans, the user will be required to change it.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
- Next message: Bill Sanderson: "Re: I cant open my email count any more:("
- Previous message: Mike Burgess: "Re: why they keep coming back?"
- In reply to: Kent W. England [MVP]: "Re: Funny - any comments?"
- Next in thread: N. Miller: "Re: Funny - any comments?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
