Cutting Security To Cut Costs?

just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"

I've been through exactly the same.

I've been through exactly the same. Problems with passwords vanished within weeks as everything was swapped over. Then piece by piece, random pain in the fucking ARSE problems with other users fucking with fileserver files grew into a major problem. Users saved files anywhere they could with no restrictions. Other users who 'claimed' parts of the server space as their own threw out files that appeared there from other users. Management however, are still happy with their decision to cut security like this, despite nobody having a clue where anything is.

Am I bitter about it? To the point of quitting the instant I can. Thank god I'm not running the servers.

How about this?

[Kaeru+the+Frog]

Keep the passwords and charge anyone who forgets their's twenty dollars.

*sigh*

[skinfitz]

Unfortunately this is a fact of IT - there are those who because they dont understand the need for IT security, means that you are reduced to working at their level.

How many times have you heard this one?

(Regarding a server that is connected to the net for FTP / SSH) "But who would want to hack our server?"

I've often found that lusers actually do understand security concepts, however as soon as a computer is concerned they are thrown out of the window. For example:

Me: "Tell me - do you drive a car?"
Luser: "Yes"
Me: "And does anyone have a specific grudge against you? Would they specifically want to steal your car?"
Luser: "No!"
Me:"So do you lock your car after you park it somewhere?
Luser: "Of course I do!"
Me: "So if no one wants to steal your car, why do you lock it?

I've found they can't answer that one.

The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication. Think about how we as human beings authenticate people - we do it all the time from speaking to friends on the phone, to making a transaction at the bank. If speaking to someone you know, you dont use a password - you know what your friend looks, sounds and behaves like, and this is used for "authentication". With a bank, you may not know the person you are about to hand over all your cash to, however because the bank is a big building in the location it's in, you know that it can be "trusted" due to it's physical location.

Regarding passwords with Windows 2000 there are alternatives to this. The simple one is let them have no password, but make it so that their account can only log on from their computer. That will seriously limit the abuse that can happen. Alternatively just quietly delete all your CEO's MP3's and mail abusive messages and pr0n using his account - he'll soon wake up.

What's better than no password?

ONE PASSWORD!

Yes, that's right, retain some security while still making it super easy on everyone. Perhaps you could even change the password monthly... to the name of the month! (Although that might confuse some people and create more problems.)

Anyway, one password for every user is the compromise that will make everyone happy.

Re:security policies

[sigwinch]

Even better way: bill the user $20 a pop. People magically get more careful when it's their money that's being pissed away.

Message from the CEO

[martin]

OK so point what no passwd will give you.

Complete and utter ability to impersonate your upper management, sent out emails supposedly from them and read all their files(assumming you're running AD for NT domains and the email uses the AD etc for authentication)....

What other risks to the business can you think of -

the cleaner can get as anyone...
people can update documents they aren't supposed to..

the list goes on.

Re:security policies

[Clover_Kicker]

>Surely the most sensible way of sorting this out
>would be to have a trusted member of staff in each
>building/department/whatever with the authority to
>reset passwords. Note, I said *reset* passwords -
>not the ability to read them.

I once worked at a place where getting your mainframe password reset required getting your manager to sign a form. You took this form down to the data center, where a smirking operator would reset the password.

This is excellent psychology -the user has to interrupt their manager to explain that he/she/it is a bonehead, please sign this form.

So now you've embarrassed the user, and better yet, the boss is annoyed at the user! If the user is a repeat offender, the boss doesn't get mad at those evil IT guys and their password policies, he gets mad at the bonehead who can't remember their password and keeps bothering them. Ah, sweet justice.

Here's a cheap and semi-secure solution

[Muad'Dave]

Set up a web portal that the users use to request their password. Have it send their password to a "dectalk" (voice synth + phone dialer) that dials their voicemail account and speaks the letters of their password. This provides some security, since they still need their voicemail PW. It will also alert a person if someone tried to get their password - an unexpected PW message will appear on their phonemail.

You can get by with only one dialer 'cause you can just batch up the requests and do them sequentially. I'm sure there are a jillion ways to get the telephony/voice synth part working. There's Bayonne, etc. Since you're only talking about letters, numbers, and punctuation, you could just have someone read the letters into WAV/MP3 files and stream them into a voicemodem. Just a thought!