Mr. Rajagopalan,
While the policies seem a little excessive it would be hard to
judge without knowing your specific situation. I would recommend going
down to fewer characters and require one number. I have found that the
more complex you require passwords to be, and the more often users are
forced to change them then the more likely it is that passwords will be
on sticky notes attached to the monitor. If your security needs are
that great, then maybe you should look into something like biometrics or
smart cards, if not, then I might suggest you relax your restrictions a
little.
As for the locking down of computers, in general I think it's
important to the company that the computers be working for employees and
that they aren't screwed up by people downloading cute software that is
potentially damaging to the computer. Of course the #1 reason computers
exist is to increase productivity and if the computer is locked down
unnecessarily tight then they are not serving their purpose.
As for this specific user, it sounds like he thinks he should be
an administrator and obviously should not. Users should not have to
defrag their computers (it should be handled by IT w/o user
intervention) nor should the user need any administrative functions.
While your policies do seem a little extreme, I think this user has
"issues" which are separate from the office computers. I would forward
this to the head of the IT department and let them deal with it, if you
are the head, then I would talk with his boss and let him know that you
are willing to make sure that computers maximize this individuals
productivity but that most of his gripes are out of line and unless he's
part of the IT department should not be his concern.
I would recommend the following changes: 1) minimum password
length 8 and at least one number. 2) changing password expiration to at
least 90 days (once per quarter). 3) if your organization requires
greater security moving to biometrics or similar non-password centric
solution 4) provide a 24 IT help number (even if it's a pager) so that
if a user locks themselves out it can be quickly resolved.
"Who should have the upper hand - the User or the Policy ?" --
Always what ever is in the companies best interest! Users need computer
systems that work day in and day out. Sometimes this means protecting
users from themselves by not allowing them to install software but if
policies get in the way of productivity they should be relaxed. How
much access to give users is always a balancing act between IT
administration costs (with wide open policies) and lost productivity
costs (with overly aggressive policies).
Just my thoughts.
--Andrew Duey, MCSE
Duey's Computer Service
E-mail: [EMAIL PROTECTED]
Phone: (402) 730-4243
Fax: (707) 516-2889
Website: http://www.dueycs.com/
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of C.Rajagopalan
Sent: Sunday, July 28, 2002 10:32 PM
To: NT 2000 Discussions
Subject: OT: User Outbursts - How to handle ?
Hi !
We are a medium sized departmental network, with minimum administration
and security policies in place. Connected to the Win 2K DC are
predominantly Win 2K Pro boxes, with very few 9X machines. Our NW Admin
& Security Policy is a clear guideline, framed by a Committee including
the Management. Salient aspects of the approved Policy include min. 12
char complex passwd, to be changed every 30 days, cannot use last 12
passwds, only admin can install new programs, a/c locks after three
unsuccessful attempts, etc. While everyone in the Dept. is comfortable
with this arrangement, one User is not, and has shot off the following
email (I reproduce the excerpts only).
Focussing on the larger issues, I would like to know how your company
handles such a situation ? From an Admin point of view ? From a Security
point of view ? Are the policy features unreasonable ? Who should have
the upper hand - the User or the Policy ?
Would be happy to receive reactions and suggestions.
TIA,
C.Rajagopalan,
NW Admin
User Outburst (User Identity withheld) ==========================
[snip]
Now with your policies, it seems to me, we are like school kids,
entering DPEND everyday, with a fear of getting a beating from the
Administrator, for not doing the homework (policies are updated
regularly with maximum hassles and minimum freedom for the user to use
his own PC). It is like, if I have
to enter my house, I need to go and get the key from the
Administrator!
(Because I am not allowed to have a key of my home!). I am not allowed
to use any of my belongings in the house without the presence of the
Administrator! The NW policies mimic the above situation. Users are not
allowed to do even the defragmentation job without the help from
the
administrator. We are unable to update the scientific software, without
the mercy of the administrator! By mistake if we type a wrong password
on
Friday evening, we need to wait a few days for the arrival of the
Administrator! If we forgot to change the password , the PC is locked!
If we need to install small software, we need to wait for the
convenience of
the administrator! These are highly objectionable policies. Why to
impose so many restrictions on the users? The individuals are allowed
to manage their costly equipments worth Lakhs and crores, without such
restrictions, at their own risk! They sincerely keep the systems in
healthy conditions. Department trust their employees and give them full
freedom to look after and maintain the systems/equipments/labs. After
all, why we need to open up the PC's for the administrator. The present
policy would only help the administrator to be the King and everyone
needs to be at his Mercy. There is absolutely no benefits other than
that.
I do not understand what we benefit from all these controls? It is
quite
easy to say that all these measures are for keeping the virus out. But
someone can easily send a virus file from outside. Or someone can bring
a file from another infected PC. Then the PC is affected! NO virus
packages can guarantee full protections to the PC's. Then why do we
blame the virus, for each and everything!
In brief, the network policies are really unwanted and the users are
wasting lots of their precious time to satisfy the requirements and
policies
of the administrators rather than their own benefits. E.g.: DPEND
LAN
can not be accessed by others. Why do we need to change the passwords
every month? That too with the maximum complications? (14 character, no
previous 13 passwords etc..) Who do you afraid of? Do you fear the
DPEND users so
much? What is the necessity of locking the PC for 760hrs? After all
there
are many options available in the Administrator set up of Windows 2000,
and you have chosen the worst option, which no other Administrator ever
opted
for. While the Administrator has NO faith in the users (e.g.:
password
policy), the users have to blindly trust the administrator!
[snip]
================
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
