Many clients hate long and complex passwords. They want secure systems, but they don’t want to have to do anything to secure their network – they want us to do it all. I recently spent an hour with a client answering questions about how secure their data will be once we move it to the cloud. And the very next day, that client asked me to give her a password that’s short and easy to remember.
We need to work with clients to strike the right balance. Sometimes they are the weakest link. And sometimes we get carried away. Many security experts spend most of their time trying to scare people into compliance. Other times, systems are so locked down that they are essentially unusable for clients.
Our role as IT professionals is to help clients make money, save money, or offer new services through the appropriate use of technology. We should not be viewed as part of the problem, or people who keep the clients from doing their job.
You’ve probably seen some extreme examples where a previous consultant has instituted so many group policy restrictions that you can’t unwrap the spaghetti of overlapping policies to actually help the client get their job done. At the other end of the spectrum, we’ve probably all had a client whose password has been their child’s name – and they’ve not changed it for the past eight years.
With that in mind, here are five tips for creating a balanced approach to network security.
As strange as it sounds, managed service providers (MSPs) tend to do two conflicting things with passwords. On one hand, they create draconian password policies (extremely long, complicated passwords that can never be reused, etc.). On the other hand, they make exceptions for the boss, owner, or partners. So the most important people in the company end up with the weakest passwords.
We like to see passwords changed about once a month. That’s 12 a year. To be honest, on a well-secured Windows system you can make this four times a year or maybe even once a year. Passwords should be long enough (10-12 characters minimum), but recent research shows that most of the “complicated” requirements are no more effective than just having a longer passphrase. We encourage clients to use two or three simple words with spaces in between and throw in a number here or there.
For example, “Super Tasty F00d” scores 100% at passwordmeter.com even though it does not have a special character. The random character password “Q1a6qRu!” only scores 82% – and no one will ever remember it!
Free antivirus programs might be good enough for home use or for very careful clients. But if you spend a lot of time dealing with viruses, you should consider the possibility that your collection of freeware tools is not performing as well as a brand-name for-pay alternative.
In the big picture, no one saves money by using free tools that don’t quite get the job done. If you’re charging clients to maintain their systems, you should use quality tools. The best way for you to save money on this front is to use a tool that’s centrally managed and always up to date.
This gets back to clients wanting everything to be easy and for you to get out of their way so they can do their jobs. But with a modern operating system, properly patched, virtually 100% of viruses require administrative privileges to run. Even with “elevated privileges,” a non-administrator cannot install these programs.
You can create a local administrator level account and tell users to put in those credentials if they really need to install something. That way, when something pops up in front of them, they have to stop and think, “Do I really want to do this?” Combine this with some solid user education and the answer will always be “no”.
Almost no one does this, and I don’t know why. Most routers are “set it and forget it.” But you can’t do that with firewalls. The bad guys aren’t just attacking desktops. The really talented ones are attacking firewalls. That means a) they’re looking for holes that need patching, and b) once they find them, it’s too late.
You probably don’t need to update firewalls every 30 days, but you should look at them at least once per calendar quarter. If you have a business-class firewall, it may have intrusion detection, antivirus, and other add-on features. Those should be updated monthly. When you have a single point of entry, the bad guys have only one way in, and they can pound on it until they succeed.
Some days, I think group policies are the worst thing ever invented. We’ve taken on new clients who had literally made their server unusable because they had instituted so many complicated group policies. Nowhere else does the KISS principle apply more: Keep it simple!
I’m a big advocate of documentation, so of course we document all group policies at client offices. The first question is: Purpose of this policy? Group policies are a great way to implement the password policy above, or to set account lockout parameters. Managing passwords themselves, however, is a bad idea. Group policies store passwords in a lightly encrypted (easy to crack) format. So don’t use group policies to reset passwords on all the local admin accounts on a domain.
The bottom line on security is that we need to have reasonable, simple policies that result in an effective approach to security. Once you’ve got a handful to simple, easy-to-implement policies, it is very easy to enforce them consistently across all your clients.