Password Tips for Businesses

This year Microsoft made a very public statement about how they’re fundamentally changing how passwords will work in Microsoft Windows 10 moving forward. Most significant is that they’re dropping the password expiration recommendation. This brings their recommended policies closer to what NIST also published on this topic. On one hand, these bring a collective sigh of relief from many end-users who are vexed when they see the dreaded “you must change your password in 14 days”…13 days…11 days… This was previously seen as ‘low hanging fruit’ for any IT consultant to come in and perform a security audit, and point out that they don’t force their users to change their passwords.

There are many reasons for the change in direction for both Microsoft and NIST recently. But the biggest reason I propose is that security threats to passwords have fundamentally changed in recent years, compared to the past. There is a good chance your email account is already known by hackers. But moreover, your password is even known by them. As of today over half-a-billion unique passwords have been compromised. And the ability to hack or compromise a password is far easier then it ever has been.

What the biggest things these shifts by Microsoft and NIST demonstrate are that ‘good enough’ approaches to security simply isn’t. Arbitrarity forcing users to change their passwords doesn’t make them more or less secure. And it has been argued that it often makes it less secure as users work harder to find ways to remember their passwords. Is ‘Th0rsHammer2’ any more secure than ‘Th0rsHammer1’? Likely not, but research consistently shows that is exactly what happens. Let’s step back and understand why we even consider changing passwords frequently. The fundamental reason is that the password becomes exposed, known to bad actors. The theory used to be that it was unlikely, but just in case, if we change passwords frequently it will reduce the impact. Nowadays we know better, it isn’t a question of “if” but when. And the follow-up question is, once your password is compromised, how long do the bad-guys need? Even the halflife of the typical 90-day forced password change is 45-days, more than enough to do damage.

The new model focuses on two elements:

  1. End-user education: Which primarily focuses on identifying threat vectors such as phishing attempts. But also in how to choose a good password, and avoid password reuse.
  2. Detection of compromise: This one is more technologically involved, but it basically required advanced threat detection to identify potentially compromised accounts or servers, and then using that to force a password change.

 

Recommended Action Items for SOHO (Small Office, Home Office)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same.
  2. Ensure that every computer has a password required to log in — no accounts should be password exempt.
  3. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account.
  4. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Authenticator.
  5. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  6. Pay attention to data breaches of large companies. Consider forcing password resets when such event occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

Recommended Action Items for Small Business (10-50 employees)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same. Train on using password managers instead of sticky notes or excel files with password plainly documented.
  2. All systems should be domain-joined with password policies in place, ensuring that all accounts have strong and long passwords. Remove your password reset policy.
  3. Audit your existing use of role accounts, automatic login accounts, shared accounts, etc. Whenever possible eliminate such accounts so there is a one-to-one audit trail back to a specific user. When role or shared accounts are needed, they should generally have far fewer rights than normal users, and policies need to be in place to reset this upon any employee change.
  4. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account. Professional versions permit the ability to share passwords when needed.
  5. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Azure AD MultiFactor Authentication.
  6. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  7. Pay attention to data breaches of large companies. Consider forcing password resets when such events occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

 

Recommended Action Items for Medium Business (51+ employees)

  1. All the items listed for Small Business PLUS:
  2. Ensure all public facing website exposing corporate resources (webmail, website, extranet, client-portals, etc) implement technologies like WAF, Fail2Ban, and more. Those resources should be placed in your DMZ, which is isolated from your local network and use completely different administrative credentials.
  3. Outbound traffic filtering including DLP (Data Loss Prevention), Advanced Threat Protection and Content Filtering.
  4. Consider implementing password auditing tools which compare your network passwords against the known password breaches.

 

The above lists are based purely on the topic of password-related security, and there are many additional security matters in general which need to be professionally assessed by any business. 

 

 

 

First 10 things I do to a new computer

If you’re like me, anytime you get your hands on a new computer there are a handful of things you do to it. That could be if the computer is for your use or for someone else. Here is my top 10 things I do:

  1. If there is trialware software, I remove it – especially if it is anti-virus software! Clean up all of the unneeded software
  2. Run Microsoft Updates to ensure the operating system is fully patched. Even newly shipped computers can need 10’s to over 100 updates!
  3. Visit the hardware manufacture’s website such as the Dell Support Website and check for updates to the BIOS and other hardware. As with #2 above, the vast majority of computer shipped directly from the manufacture is running old software such as BIOS and firmware.
  4. Install a web browser of choice – for me I install both Chrome and Firefox.
  5. Install a handful of standard apps every user needs:
    1. Adobe Acrobat Reader
    2. Java for Desktop Computers
    3. Adobe Flash Player (but you’ll need to do this for each browser you use)
    4. Adobe Shockwave Player (old, but some sites still require it)
    5. Adobe AIR Player (used on some sites)
    6. VLC (plays just about any media)
    7. Open Office (if you don’t own a copy of Microsoft Office)
    8. Virtual Drive Clone (lets you mount ISO as if they were CDs)
  6. Install any purchased or commercial software
  7. Download and CCleaner, and run the registry cleanup utility – during the install, I uncheck virtually all of the install options. I like this tool hidden, not actively running, and not even viewable on the start menu. I will execute it from the “Program Files” directory manually. I prefer an un-cluttered Start menu, so many utilities, especially for other people, I keep un-linked in the start menu.
  8. Install Anti-virus software:
    1. I prefer commercial Anti-virus software, and never recommend a consumer grade AV software for anyone
    2. If you don’t have access to a commercial/business AV software, choose Microsoft Security Essentials – a lightweight, free, non-ad driven Anti-virus software
  9. Run a disk defragmentation software, either Microsoft’s built in utility, or Diskkeeper (highly recommend)
  10. Setup a non-administrative user account. If this is a domain based workstation, then this is likely already taken care of but for small work groups, friends or family personal computers, I always setup two accounts. Their “user” account and their “adminsitator account”. Both have passwords, typically the same password to make it easy for them. I have them always use the “user account”. And if appropraite setup the computer to auto login to that account.

In the next article I will discuss some of the software tools I install on my own workstations as an administrator and power user.

Enjoy!

XenServer: APC Smart Shutdown

If you have the network modules for your APC Smart-UPS then you can use the embedded soft to perform a smart shutdown. However this method permits you to shutdown all virtual machines and the virtual host with a single serial cable attached to a physical server

–          Connect the APC UPS to a non virtualized machine

–          Install PowerChute

–          Install XenCenter

–          Create a default.cmd file (attached) which points to a batch file in the XenCenter directory

–          Create a shutdown.bat file (attached) which shutdowns appropriate services, and then shuts down the xen servers, then the host.

–          In the PowerChute console,  configure it to run the default.cmd file on the power event

Continue reading “XenServer: APC Smart Shutdown”

Powered by WordPress.com.

Up ↑