Password management for an Enterprise

[JenZen]

I  need an overview about educating us as users with regards to saving passwords and preventing password sharing. In addition to it, may I ask your help about the best solution to ensure that our enterprise passwords are protected?
 

[BinaryData]

For VMWare, we change our Domain passwords every 90 days, we have strict rules regarding passwords.

Our network can't be accessed outside of the corporate network. People who don't need access, doesn't get it. We have a standard username / password that we use for customers, and our own for techs. Only the techs get access to those.

We also prank others if they leave their PC unlocked. There isn't a whole lot you can do, other than stern rules.

[TPreston]

Don't use passwords except for a backup use Smart Cards Everywhere & for Everything;

Edited March 8, 2017 by TPreston

[goretsky Supervisor]

Hello,

 

I gave a webinar on password and PIN selection a few years ago.  It's not exactly dated, though, since it goes over the fundamentals, which are always good to start with.  You can view a recording at:

 

https://www.brighttalk.com/webcast/1718/87601/passwords-and-pins-the-worst-choices

 

There's no cost to view it, but you do have to register (you can use a throwaway email address, or simply uncheck/unsubscribe from anything during the sign-up).  If you find it of use/interest, I'll see if I can locate the slide deck for you.

 

Regards,

Aryeh Goretsky

[AStaUK]

11 hours ago, BinaryData said:

We also prank others if they leave their PC unlocked. There isn't a whole lot you can do, other than stern rules.

At my company we do the same, good old "Screen Police"

 

Although I don't use it personally my parent company use CyberArk, you may find it to expensive or overkill for your setup depending on your size.  Basically they use it to guard access to all their servers, you login to CyberArk with your normal user account, that then logs you into the required service/server with a one time login, anything you do is then recorded and logged for future playback.  For instance if you login into a DC and perform a powershell command to update DNS that session is recorded and logged, I as an admin can then go into the logs and search for DNS and watch a video of what you did.  Also great for troubleshooting if another admin does something and can't recall exactly what.

 

https://www.cyberark.com/products/privileged-account-security-solution/

 

Obviously if you want to implement this properly there is a lot of setup required in terms of how your network is layered and services etc accessed.

[Sulphy]

We tend to use Secret Server for core enterprise passwords - Secret Server - or Kee Pass for less critical passwords, which can be shared with teams with seperate databases for each team.

[Danielx64]

13 hours ago, BinaryData said:

We also prank others if they leave their PC unlocked.

I know that you do it for fun (I had it happen where someone screenshot my screen then set it as wallpaper and hide all my icons) but couldn't that backfire later on?

[Anibal P]

Only at the Help Desk are we allowed to use KeePass, encrypted DB on your Home drive, no recovery 

Other departments are using Password Vault with a secondary ID as the login not the main domain login 

Everyone else is supposed to use encrypted Excel spreadsheets till the Password Vault rollout commences, likely sometime after the Win 10 rollout in the next couple of months 

[adrynalyne]

On 3/7/2017 at 8:33 PM, JenZen said:

I  need an overview about educating us as users with regards to saving passwords and preventing password sharing. In addition to it, may I ask your help about the best solution to ensure that our enterprise passwords are protected?
 

Devolutions is your answer. 

 

https://devolutions.net/

 

We use Remote Desktop Manager which is a misnomer because it does far more than just rdp. 

[Mando]

On 3/9/2017 at 9:45 AM, Danielx64 said:

I know that you do it for fun (I had it happen where someone screenshot my screen then set it as wallpaper and hide all my icons) but couldn't that backfire later on?

depends if users leaving their machines unattended is a breach of IT policy id imagine, I take a screenshot with the start menu open, and make it their wallpaper, then when the support ticket comes in about their broken start screen, they are informed that infact no its not, it was the IT Admin to nicely and in a jokey way remind them to not leave their workstation and email clients open to all, next time its raised with their Dept manager and 3rd strike with HR. A little bit of humour goes a long way for strike 1, it rarely gets past strike 2 tbh.

 

I have the right to access that company resource any time i need to, regardless of user, (ofc i inform them first out of good manners) im paid to mitigate risk to the electronic resources of said company, and users leaving it unlocked goes against that. I also have our MDs backing on this aspect.

 

the PCs are company equipment and resources, just as their mailboxes are, it is not the property of said user.

 

When users moan about the 5 passwords they have to remember and keep updated, i politely remind them they should think themselves lucky, I have 5 domains to support, each with a normal day to day account and domain adm account for each, try keeping 15+ unique, complex and compliant every 30 days. Thats not inclusive of the various 21CFR compliant Db systems I have to administer also. Funny staff never seem to forget their bank card PINs........I wonder why.

 

To assist them, we permit the user retaining a notepad file in their home folder, so all they need to do is remember their windows password. Only the IT dept and that user has access to the home folder, we found that when we didnt allow this, users would write them down in a notebook and keep in their white gowns.....DOH! ofc this is only acceptable/possible with tight network ACLs to ensure unauthorised access to others home folders is not possible.

 

Edited March 12, 2017 by Mando

[Magaly Townsel]

I agree with BinaryData.  Changing passwords every now and then is really a big help.

[JenZen]

Thanks everyone! Those are really helpful. I'm also using password management software and it is working just fine. Now, I'm more at peace knowing that even if I accidentally left my account open I'm safe.

[DevTech]

Year = 2017

Tech = Biometrics

 

Year = 2018

Tech = Cortana

 

Year = 2020

Tech = SkyNet