Re: Funny - any comments?

From: Martin Schmid (martinschmid_at_sbcglobal.net.nospam)
Date: 12/15/03


Date: Mon, 15 Dec 2003 08:53:31 -0600

The point of my original message was the lack of information that was
provided to management and users - I'm not an IT person (in my present
organization), and just wanted to make sure I had the the insight if I
wanted to approach management about this issue.

Thanks for your replies.

-- 
Thanks,
Martin Schmid, EIT, CCSA, MCDBA, MCSE
"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:%23E9FExlwDHA.3116@TK2MSFTNGP11.phx.gbl...
> This is all well and good, but you didn't mention any of these details
> in your original post, so what's the point? Of course, if you have
> technical solutions that don't require IT staff to know passwords, that
> is better than a slapped together system where IT staff simply must know
> passwords. The point of my post is that a patchwork system is far from
> rare, which goes to the point of your original question.
>
> -- 
> Kent W. England, Microsoft MVP for Windows Security
>
>
> "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in message
> news:%23BgqUnYwDHA.2308@TK2MSFTNGP11.phx.gbl...
> > The actual issue is the Exchange email server is in one Windows
> domain, and
> > our office is in another Windows domain - so the passwords must be
> sync'd;
> > however, isn't there a cleaner way to do this, i.e. through a proper
> trust,
> > or proper Exchange configuration?  I.e., have the user login to each
> domain,
> > and make sure they set the passwords to the same thing?  Then, the
> passwords
> > are never shared with any other person (i.e. per the policy).
> >
> > My opinion is that the passwords shouldn't be shared, especially when
> it is
> > not absolutely necessary, and it's not in this instance - I found a
> > work-around.
> >
> > The last office I worked in, they kept a list in case they had to get
> on the
> > user's machine to make any changes.  However, typically these changes
> could
> > be made w/ an admin account.  If absolutely necessary, the admin could
> > change the user's password anyway; but of course the admin would have
> to
> > tell the user what it was changed to, and have the user change it on
> first
> > log-in.  However, I see this as respect, proper communication, and
> > professionalism - the user should be made aware of why the admin had
> to get
> > on the machine anyway.  It comes down to accountability - granted you
> should
> > trust your admin, but the admin should also be competant and implement
> > solutions that don't interfere with their own policies!  If they
> aren't able
> > to do this, the admin is just as much a sercuity issue as all the
> > un-informed, and under-informed users!
> >
> >
> > -- 
> > Thanks,
> > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> >
> >
> > "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> > news:%23mQXH6UwDHA.3116@tk2msftngp13.phx.gbl...
> > > This is quite common and you are exactly right -- many corporate
> > > networks are a jumble of incompatible systems and add-ons. A user
> has a
> > > Windows password to logon to their desktop and/or domain, they may
> have
> > > a Netware password, they have a password to a third-party email
> server,
> > > and they have a password to the Internet proxy. None of these
> systems
> > > are connected and so the IS people are the only ones who can manage
> > > password changes.
> > >
> > > There is no point in trying to do what Robert recommends. The
> implied
> > > policy is that the IT department is the master keeper of the network
> > > application passwords. You can and must give passwords to the IT
> staff,
> > > but to no one else, and you can only do it in a phone call or in
> person.
> > > The only password the users can change is the Windows password and
> that
> > > is only because you can't really stop them. :-)
> > >
> > > It really isn't that much different than if the IT department bought
> > > some app or developed some web site where users could enter their
> > > password changes and the app would sync all the passwords
> automatically.
> > > IT staff would still have access to the database of passwords -- 
> > > management would insist on it. Of course, it might be better to have
> a
> > > system where passwords can only be changed by IT staff, but IT staff
> > > usually has access to all the data anyway.
> > >
> > > Bottom line -- if you can't trust IT and your janitor, you are
> really
> > > out of luck.
> > >
> > > -- 
> > > Kent W. England, Microsoft MVP for Windows Security
> > >
> > >
> > >
> > > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> > > news:OaVxRrRwDHA.3144@tk2msftngp13.phx.gbl...
> > > > I don't think so--I think he's got a mailserver running some
> system
> > > which
> > > > has no method of synching passwords with the rest of the network,
> and
> > > no
> > > > method for the user to make the change themselves.  Ugly, but
> quite
> > > > possible--and I agree wth Robert Moir about "correct" responses,
> given
> > > the
> > > > policy!
> > > >
> > > >
> > > > "Chris Knapp" <dont@spam.me> wrote in message
> > > > news:uVIPIfQwDHA.1744@TK2MSFTNGP12.phx.gbl...
> > > > > Sounds like the boss is forcing him to maintain a list of
> passwords.
> > > My
> > > > old
> > > > > computer illiterate boss used to ask for this too. . . (Not that
> he
> > > could
> > > > > even figure out how to login as someone other than himself. . .)
> I'm
> > > not
> > > > > bitter. ;-)
> > > > >
> > > > >
> > > > > "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in
> message
> > > > > news:uMG3IzOwDHA.1196@TK2MSFTNGP12.phx.gbl...
> > > > > > I just received this message from my IS staff person--- note
> that
> > > this
> > > > was
> > > > > > ust a few minutes after receiving the new 'Password Policy'
> below.
> > > Any
> > > > > > comments are welcome!
> > > > > >
> > > > > > -- 
> > > > > > Thanks,
> > > > > > Martin Schmid, EIT, CCSA, MCDBA, MCSE
> > > > > >
> > > > > > -----
> > > > > >
> > > > > > Message recevied about 11:45am today
> > > > > >
> > > > > > The easiest way to change your password is by hitting
> CTRL-ALT-DEL
> > > at
> > > > the
> > > > > > same time and press the change password button.
> > > > > >
> > > > > >
> > > > > >
> > > > > > However, everyone in XYZ-2 office will have to let me know
> (over
> > > the
> > > > phone
> > > > > > only) what their new password is, otherwise they will not be
> able
> > > to
> > > > > access
> > > > > > their e-mail from the XYZ mail server. So, I will be calling
> the
> > > XYZ-2
> > > > > > office this afternoon and will talk to everyone, and will
> change
> > > their
> > > > > > passwords here as well.
> > > > > >
> > > > > >
> > > > > > ----
> > > > > > Policy received about 11:30 am today.
> > > > > >
> > > > > > Password Policy
> > > > > >
> > > > > > Overview
> > > > > >
> > > > > > Passwords are an important aspect of computer security. They
> are
> > > the
> > > > front
> > > > > > line of protection for user accounts. A poorly chosen password
> may
> > > > result
> > > > > in
> > > > > > the compromise of XYZ's entire corporate network. As such, all
> XYZ
> > > > > employees
> > > > > > (including contractors and vendors with access to XYZ systems)
> are
> > > > > > responsible for taking the appropriate steps, as outlined
> below,
> > > to
> > > > select
> > > > > > and secure their passwords.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Policy
> > > > > >
> > > > > > The purpose of this policy is to establish a standard for
> creation
> > > of
> > > > > strong
> > > > > > passwords, the protection of those passwords, and the
> frequency of
> > > > change.
> > > > > > This policy includes all personnel who have or are responsible
> for
> > > an
> > > > > > account (or any for of access that supports or requires a
> > > password) on
> > > > any
> > > > > > system that resides at any XYZ facility, has access to the XYZ
> > > network,
> > > > or
> > > > > > stores any non-public XYZ information.
> > > > > >
> > > > > >
> > > > > >
> > > > > > General
> > > > > >
> > > > > >          All user-level passwords must be changed every four
> > > months
> > > > (you
> > > > > > will be prompted each time your password has expired).
> > > > > >
> > > > > >          Passwords must not be inserted into email messages
> or
> > > other
> > > > > forms
> > > > > > of electronic communication.
> > > > > >
> > > > > >          All user-level and system-level passwords must
> conform
> > > to the
> > > > > > guidelines described below.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Guidelines
> > > > > >
> > > > > > General Password Construction Guidelines
> > > > > >
> > > > > > Passwords are used for various purposes at XYZ. Some of the
> more
> > > common
> > > > > uses
> > > > > > include: network/PC login, Wind2, and voicemail.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Poor, weak passwords have the following characteristics:
> > > > > >
> > > > > >          The password contains less than six characters
> > > > > >
> > > > > >          The password is a word found in the dictionary
> (English
> > > or
> > > > > > foreign)
> > > > > >
> > > > > >          The password is a common usage word such as:
> > > > > >
> > > > > > o        Names of family, pets, friends, co-workers, fantasy
> > > characters,
> > > > > > etc.
> > > > > >
> > > > > > o        Computer terms and names, commands, sites, companies,
> > > hardware,
> > > > > > software.
> > > > > >
> > > > > > o        The words "XYZ", "Dallas", "LosAngeles", "password"
> or
> > > any
> > > > > > derivation.
> > > > > >
> > > > > > o        Birthdays and other personal information such as
> > > addresses and
> > > > > > phone numbers.
> > > > > >
> > > > > > o        UserID (i.e. if the login ID is "Jonathan" the
> password
> > > should
> > > > > not
> > > > > > be "Jonathan")
> > > > > >
> > > > > > o        Word or number patterns like aaabbb, qwerty,
> zyxwvuts,
> > > 123321,
> > > > > etc.
> > > > > >
> > > > > > o        Any of the above spelled backwards.
> > > > > >
> > > > > > o        Any of the above preceded or followed by a digit
> (e.g.,
> > > > > password1,
> > > > > > 1password)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Strong passwords have the following characteristics:
> > > > > >
> > > > > >          Contain both upper and lower case characters (e.g.,
> a-z,
> > > A-Z)
> > > > > >
> > > > > >          Have digits and punctuation characters as well as
> > > letters
> > > > (e.g.,
> > > > > > 0-9, !@#$%^&*()_+|~-=\'{}[]:";`<>?,./ )
> > > > > >
> > > > > >          Are at least eight alphanumeric characters long
> > > > > >
> > > > > >          Is not a word in any language, slang, dialect,
> jargon,
> > > etc
> > > > > >
> > > > > >          Are not based on personal information, names of
> family,
> > > etc.
> > > > > >
> > > > > >          Passwords should never be written down or stored
> > > on-line. Try
> > > > to
> > > > > > create passwords that can be easily remembered. One way to do
> this
> > > is
> > > > > create
> > > > > > a password based on a song title, affirmation, or other
> phrase.
> > > For
> > > > > example,
> > > > > > the phrase might be: "This May Be One Way to Remember" and the
> > > password
> > > > > > could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
> Also
> > > you can
> > > > > use
> > > > > > special characters or numbers to replace letters in a word,
> for
> > > example
> > > > > the
> > > > > > word is "computer" and the password could be: "C0mp*t3r" or
> > > "c*mp@ter".
> > > > > >
> > > > > > NOTE: Do not use any of the above examples as passwords!
> > > > > >
> > > > > >
> > > > > >
> > > > > > Password Protection Standards
> > > > > >
> > > > > > Do not use the same password for XYZ accounts as for other
> non-XYZ
> > > > access
> > > > > > (e.g. personal ISP or at home internet accounts, benefits,
> > > personal
> > > > (yahoo
> > > > > > or hotmail) e-mail accounts, etc.).
> > > > > >
> > > > > >
> > > > > >
> > > > > > Do not share XYZ passwords with anyone, including
> administrative
> > > > > assistants
> > > > > > or secretaries. All passwords are to be treated as sensitive,
> > > > confidential
> > > > > > XYZ information.
> > > > > >
> > > > > >          Don't reveal a password in an email message
> > > > > >
> > > > > >          Don't talk about a password in front of others
> > > > > >
> > > > > >          Don't hint at the format of a password (e.g., "my
> > > favorite
> > > > song
> > > > > > title")
> > > > > >
> > > > > >          Don't reveal a password on questionnaires
> > > > > >
> > > > > >          Don't share a password with family members
> > > > > >
> > > > > >
> > > > > >
> > > > > > If someone demands a password, refer them to this document or
> have
> > > them
> > > > > call
> > > > > > the IS department.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Never use the "Remember My Password" feature of applications
> > > (e.g.,
> > > > > Eudora,
> > > > > > IM, Yahoo, etc.). This is very un-secure as it saves the
> password
> > > to
> > > > your
> > > > > > computer (or sometimes on the internet!)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Again, do not write passwords down and store them anywhere in
> your
> > > > office.
> > > > > > Do not store passwords in a file on ANY computer systems
> > > (including Palm
> > > > > > Pilots or similar devices) without encryption.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Change passwords at least once every four months.
> > > > > >
> > > > > >
> > > > > >
> > > > > > If an account or password is suspected to have been
> compromised,
> > > report
> > > > > the
> > > > > > incident to the IS department, and change all passwords.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Password cracking or guessing may be performed on a periodic
> or
> > > random
> > > > > basis
> > > > > > by the IS department. If a password is guessed or cracked
> during
> > > on of
> > > > > these
> > > > > > scans, the user will be required to change it.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>


Relevant Pages

  • Re: Survey: Who Uses GNOME
    ... the test between KDE and Windows, then Windows might have been the ... That is true with ALL management decisions. ... Let staff participate or at ... If you do that cleverly and with a somewhat open attidude to your staff, ...
    (alt.os.linux.suse)
  • RE: Windows NT 4.0 Print Spooler Security
    ... Windows NT 4.0 Print Spooler Security ... I was asked by management if there was a way to reprint print jobs ... domain admin on the box you have complete control over all ...
    (Focus-Microsoft)
  • Re: Funny - any comments?
    ... technical solutions that don't require IT staff to know passwords, ... is better than a slapped together system where IT staff simply must know ... Microsoft MVP for Windows Security ... If absolutely necessary, the admin could ...
    (microsoft.public.security)
  • yes,.
    ... Windows 7, Vista, and XP but I have not found an acceptable solution to this ... It seems related to some kind of UAC ... I ran Word as admin so I could disable both of the COM Add-ins. ... by the UAC prompt every time you start Word generates an error of, ...
    (microsoft.public.word.application.errors)
  • Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
    ... Windows 7, ... accessible by an admin account. ... Each secret contains a modification timestamp, ... during Windows 7/8 installation. ...
    (Bugtraq)