Yes; it all boils down to risk management. In an environment with sensitive information, or one regulated by SOX/HIPAA/whatever, a shorter time might be a better option for mitigating the specific scenario I mentioned. Frankly, I think stolen creds and disgruntled current employees are a bigger threat than externally mined creds. If fred steals john's creds and uses them to store p*rn or steal customer info or send spoofed emails, your mentioned security options don't help. Managing the risk by determining an "acceptable" time frame is one tool available out of many. It may be that a 30 day (or whatever) time frame is acceptable because it would cost too much (either in money or convenience) to make things any tighter.
In an environment with limited sensitive data, a longer change interval (or none) is much more acceptable. Management level risk-management is a necessity these days. You can't set effective policies without knowing your tolerance for specific risks. If you want to monitor or tighten things more closely, you have to be willing to spend more money or inconvenience your workers. Was it Steve Riley who had the triangle; security; convenience; low cost. Pick two... *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Andrew S. Baker [mailto:[email protected]] > Sent: Friday, April 16, 2010 12:47 PM > To: NT System Admin Issues > Subject: Re: please don't change your password! > > Again, how much risk are you mitigating in 30 days vs 60? > (Or 15 vs 30-45?) Even a week of such access is far too long. > > > This problem is mitigated by properly off-boarding employees > such that old accounts are disabled in a timely fashion, and > tracking logon usage so that off-hours account usage of > active accounts is noticed promptly. > > > In this particular case, the technology makes the choice > between option A and option B trivial, but that's not always > true, and so we spend a great deal of time tackling items > that add no measurable benefit. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
