[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 227
  • Last Modified:

User Password Policy

Our business is run off of a SBS2003 Server.Currently I have an excel spreadsheet with all user names and passwords.  They are changed infrequently if ever.  There are several reasons for this.  I frequently need to login to peoples computers when they are gone to do various things.  Several examples of this would be:

1. Submit Billable Time - this can only be done through an application setup under their user profile.
2. Perform Various Maintenance to someones profile - without the need to schedule this prior.
3. Set an out of office reply for someone who forgot and went on vacation.
4. These are just a few of the examples.

This started when we were a smaller company and have now grown to about 50 users.  I realize this is a security risk and would like to find a good work around so that I can setup a password policy that will insure passwords are changed frequently, but allow me the same type of access without having to keep track of all the passwords.

Thanks in advance for your help and ideas!
0
ITPro44
Asked:
ITPro44
4 Solutions
 
matthewrhoadesCommented:
My take on this:

1.  Your job is to enforce security, not convenience.  As an administrator your privates are going into the bandsaw if you lose sensitive data, not Joe User sunning himself in the Bahamas.  Enforce a good password policy using your active directory GPO.

2.  Set passwords to expire for individual users commensurate with the amount of sensitive data they have access to.  Your secretary might not need a new password every 30 days for Solitaire and a phone list.

3.  Let people deal with their own passwords, if they leave and forget to do something, reset their password to access their computer.

It sucks when you have to log into their computer to do work, this should be the exception, not the rule.

I have the same kind of environment you do, looking at your user name possibly the same industry even, and I can tell you for certain that you are better entrusting password tracking to department managers.  They should have the spreadsheet in case one of their people goes on vacation.

My two cents.
0
 
-DJL-Commented:
I agree with the above.  

However - if you do want to carry on you will need to work out how you can do each of your current tasks without being able to login as the user.

With regards to out of office message - you can assign yourself permissions in Exchange to allow you to access everyone's mailbox.  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21089848.html

What maintenance do you need to perform on a users profile?

Does your billable time application not have an admin mode that will let you enter data for users?
0
 
motley74Commented:
You could try to login to the system using an Administrator account and then do what you need to do.  In order to access programs that need to be run under a certain user you could use the "runas" command to run the program as a different user although you will still need to know the password of the user to run as.
I don't think there is any way to do what you want as any method where more than the user knows the password is a security risk.  Of course I say this not knowing how the software that you need to access under specific users works.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
Mike KlineCommented:
I'm with Matt,
What if you enforce a password policy but also let the community know that if they are on vacation or there is an emergency you may have to change their password.  You can always change it login with the new PW and then they can change it when they get back.
I take my hat off to you SBS guys.  You all have to do it all (exchange, AD, tech support, etc...)
You could show the boss security guides from NSA or Microsoft. Everyone recommends password policies be set.
Thanks
Mike
0
 
ITPro44Author Commented:
WoW!  Thanks for the all the responses.  I really appreciate them all!

Matt:  I also agree with a lot of what you said.  thanks for your response.  Knowing the habits of our department heads, I probably won't entrust this info to any of them.  :)

DJL: Very slick recommendation for outlook!  You tought me something new.  Thanks!  As for Maintenance, In the past it's been cleaning up their user profile temp files, cache and what not if they have been complaing about a slower system and they happen to be out of the office.  Other random things.  The scenario around submitting billable time is that usually the user has entered in the time but didn't send it off to the accountant.  So it's all their on their profile just needs to be sent.  The admin mode does not accomodate this.

Motley74: I think I do need to more closely define when and why I need these passwords... I think if I do this then it will put the risk/benifit ratio in perspective.

mkline71:  Thanks for your kind words.  I've already filled up several hat racks, reminds me I need to go out and get another soon.  :)  I think, like you mentioned,  that established some expectations around passwords and communicating them to the users how things will be handled is the way to go.

Thanks Everyone!
0
 
ITPro44Author Commented:
WoW!  Thanks for the all the responses.  I really appreciate them all!

Matt:  I also agree with a lot of what you said.  thanks for your response.  Knowing the habits of our department heads, I probably won't entrust this info to any of them.  :)

DJL: Very slick recommendation for outlook!  You tought me something new.  Thanks!  As for Maintenance, In the past it's been cleaning up their user profile temp files, cache and what not if they have been complaing about a slower system and they happen to be out of the office.  Other random things.  The scenario around submitting billable time is that usually the user has entered in the time but didn't send it off to the accountant.  So it's all their on their profile just needs to be sent.  The admin mode does not accomodate this.

Motley74: I think I do need to more closely define when and why I need these passwords... I think if I do this then it will put the risk/benifit ratio in perspective.

mkline71:  Thanks for your kind words.  I've already filled up several hat racks, reminds me I need to go out and get another soon.  :)  I think, like you mentioned,  that established some expectations around passwords and communicating them to the users how things will be handled is the way to go.

Thanks Everyone!
0
 
ITPro44Author Commented:
Thanks!
0
 
-DJL-Commented:
Glad to help.

You could perform most of the profile maintenance by logging into the workstation as an administrator, and then browsing to c:\Documents and Settings\UserName and deleting temp files etc.
0
 
ITPro44Author Commented:
yeah, I normally run utilities such as CCleaner which only empties the logged in users settings as far as I know.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now