Banks are not very good examples. I have worked with
several financial institutions and they are some of the slowest to upgrade,
patch, and secure environments. The primary reason for a lot of that is cost to
implement and cost to support. I expect that if they forced accounts to
expire on web access their help desk support costs would go up 80%+. They don't
feel a need to do that with customer accounts because of the following
point...
Your comparison is flawed. You are talking about government
documents that I would assume are important to multiple people in the government
and not a single person and any loss would impact some portion of the
organization, not a single person. On the other hand, the money in the bank
protected by your password is all yours and any loss is all yours. The
bank doesn't care that your account was cleared out by your son in law or
your estranged wife or by you. If they somehow have your password, they are for
all intents and purposes *you* to the bank. You have no legs to stand on if your
argument is the bank didn't make you change the password...
If that reason for not expiring passwords had legs, no one
would be expiring passwords and it probably wouldn't even be a feature. As it
is, I have heard many hushed rumours about successful information disclosure
attacks that hinged on non-expiring passwords. Everything from operating system
source code to intellectual property secrets to project plans to product designs
to org charts.
At a minimum what you need to do is go to the folks who own
the actual data and will experience the pain and embarrassment if
the secured data is compromised and get their security requirements
and then implement them. If they don't have security requirements I would
recommend having your lawyers looking at your service contract with them to find
out what they can sue you for and make sure there is nothing in there about data
integrity/quality/security/accurate auditing/etc.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, September 19, 2006 11:45 AM
To: [email protected]
Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
HI,
I have
a SharePoint site for a client, it is driving me crazy because the sales
people are telling me that the users for this site, cant have their password
expiring. The client is a government agency, so I don't want to be
responsible for any information being stolen.
How
big of a security risk is not having password expiring? it seems to me
like security 101, but the sales guy is saying that banks don't ask you to
change your password every X day, good point.
Something I was thinking is having SharePoint authenticating with their
LDAP server, is this possible to do? can anybody point to a url on how to do
this?
thanks
Rezuma
