Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Do we go overboard with security?
Too much security
MSP Business

Do we go overboard with security?

By Karl Palachuk
7 June, 2016

Many clients hate long and complex passwords. They want secure systems, but they don’t want to have to do anything to secure their network – they want us to do it all. I recently spent an hour with a client answering questions about how secure their data will be once we move it to the cloud. And the very next day, that client asked me to give her a password that’s short and easy to remember.

toomuchsecurity.jpgWe need to work with clients to strike the right balance. Sometimes they are the weakest link. And sometimes we get carried away. Many security experts spend most of their time trying to scare people into compliance. Other times, systems are so locked down that they are essentially unusable for clients.

Our role as IT professionals is to help clients make money, save money, or offer new services through the appropriate use of technology. We should not be viewed as part of the problem, or people who keep the clients from doing their job.

You’ve probably seen some extreme examples where a previous consultant has instituted so many group policy restrictions that you can’t unwrap the spaghetti of overlapping policies to actually help the client get their job done. At the other end of the spectrum, we’ve probably all had a client whose password has been their child’s name – and they’ve not changed it for the past eight years.

With that in mind, here are five tips for creating a balanced approach to network security.

1. Create a reasonable password policy – and enforce it

As strange as it sounds, managed service providers (MSPs) tend to do two conflicting things with passwords. On one hand, they create draconian password policies (extremely long, complicated passwords that can never be reused, etc.). On the other hand, they make exceptions for the boss, owner, or partners. So the most important people in the company end up with the weakest passwords.

We like to see passwords changed about once a month. That’s 12 a year. To be honest, on a well-secured Windows system you can make this four times a year or maybe even once a year. Passwords should be long enough (10-12 characters minimum), but recent research shows that most of the “complicated” requirements are no more effective than just having a longer passphrase. We encourage clients to use two or three simple words with spaces in between and throw in a number here or there. 

For example, “Super Tasty F00d” scores 100% at passwordmeter.com even though it does not have a special character. The random character password “Q1a6qRu!” only scores 82% – and no one will ever remember it!

2. Use a good, commercial antivirus program and keep it updated

Free antivirus programs might be good enough for home use or for very careful clients. But if you spend a lot of time dealing with viruses, you should consider the possibility that your collection of freeware tools is not performing as well as a brand-name for-pay alternative.

In the big picture, no one saves money by using free tools that don’t quite get the job done. If you’re charging clients to maintain their systems, you should use quality tools. The best way for you to save money on this front is to use a tool that’s centrally managed and always up to date.

3. Never let users log on as administrators. Period

This gets back to clients wanting everything to be easy and for you to get out of their way so they can do their jobs. But with a modern operating system, properly patched, virtually 100% of viruses require administrative privileges to run. Even with “elevated privileges,” a non-administrator cannot install these programs.

You can create a local administrator level account and tell users to put in those credentials if they really need to install something. That way, when something pops up in front of them, they have to stop and think, “Do I really want to do this?” Combine this with some solid user education and the answer will always be “no”.

4. Perform regular maintenance on firewalls

Almost no one does this, and I don’t know why. Most routers are “set it and forget it.” But you can’t do that with firewalls. The bad guys aren’t just attacking desktops. The really talented ones are attacking firewalls. That means a) they’re looking for holes that need patching, and b) once they find them, it’s too late.

You probably don’t need to update firewalls every 30 days, but you should look at them at least once per calendar quarter. If you have a business-class firewall, it may have intrusion detection, antivirus, and other add-on features. Those should be updated monthly. When you have a single point of entry, the bad guys have only one way in, and they can pound on it until they succeed.

5. Keep group policies simple and effective

Some days, I think group policies are the worst thing ever invented. We’ve taken on new clients who had literally made their server unusable because they had instituted so many complicated group policies. Nowhere else does the KISS principle apply more: Keep it simple!

I’m a big advocate of documentation, so of course we document all group policies at client offices. The first question is: Purpose of this policy? Group policies are a great way to implement the password policy above, or to set account lockout parameters. Managing passwords themselves, however, is a bad idea. Group policies store passwords in a lightly encrypted (easy to crack) format. So don’t use group policies to reset passwords on all the local admin accounts on a domain.

The bottom line on security is that we need to have reasonable, simple policies that result in an effective approach to security. Once you’ve got a handful to simple, easy-to-implement policies, it is very easy to enforce them consistently across all your clients.

You might also like...
MSP Business

Operation Cloud Hopper-A wake-up call for MSPs and IT service providers

MSP Business

Are companies spending their IT Security Budget on the wrong things?

MSP Business

Using managed antivirus solutions in your MSP

MSP Business

An MSP's guide to responding to a virus

MSP Business

Security Awareness Training Tips

MSP Business

Password security - Considerations for MSPs

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
  • TAP Blog Series: Maximizing Your Service Delivery Opportunity
  • Why Do MSPs Choose SolarWinds Backup? IT Central Station Finds Out
  • Seven Features Remote Assistance Software Should Have
  • TAP Blog Series: Creating Your Automation Strategy—Three Key Components You Must Have in Place
Categories:
  • Security (229)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (82)
  • Business Growth (75)
  • The Head Nerds (74)
  • IT Support (41)
  • Business (39)
  • Cybersecurity (37)
  • Automation (36)
  • Mail (33)
  • Operations (33)
  • Remote Management (27)
  • ITSM (25)
  • Data (21)
  • Cloud Computing (21)
  • Networking (21)
  • Marketing (14)
  • Product (11)
  • PSA (10)
  • Services & Support (4)
  • Mobile (4)
  • Risk Intelligence (4)
  • Service Desk (4)
  • Internet of Things (3)
  • Customer Service (3)
  • GDPR (2)
  • Research & Trends (2)
  • Training (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.