Yes, powering down at night can save you money, and it can reduce your carbon footprint but it sounds like you are trying to use this as a method of securing your network which i would not suggest.
As far as powering down your systems, if you have a budget then use it. If you have management software, use that too. Many large networks use some sort of management software, either SMS or something similar. There are always tools available with this. Some good SMS add-ons can be found here: http://www.1e.com/Downloads/Index.aspx (no affiliation aside from that we use the software). These tools give you the option to only shut down computers which no one is logged into, or you can be more strict and force systems to shut down at a specific time, it is very flexible.
If you do not have any such thing and you do use AD then simply get creative with your policies. You can use power management policies which were mentioned earlier such as EZ GPO http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo or you can get creative with your logon scripts. Just be sure to test them first.
If you are simply trying to thwart viruses maybe you should look into a unified threat management appliance which can stop them at your gateway.
Many great recommendations have already been made and i believe the answer isnt quite as simple as you would like.
First, on the size network you are working on it would be easier for you to have all of the ports plugged in and to use a method such as gateway device to control access if they all come through a central point (www.bradfordnetworks.com) as well as having decent access control to the buildings. For the physical access control, that is really only feasable in an area such as the server room or a similar smaller area that doesnt change as often. Many companies have the internet connections for their remote divisions as a WAN link through a corporate headquarters so they can manage it.
Secondly, you need to organize the network using VLANs and subnets in a way so that it is easy to control (hopefully this is already done). For example, division "abc" has subnet 172.17.100.XXX and division "def" has subnet 172.17.102.XXX...etc. Once this is in place you can control the traffic at each division using VLANs so you can have more granular control over it. In this method you can do things like send all of the wireless traffic through a particular security device.
Thirdly (and this is the big one), you need excellent management of IT at your company. If the users know they can be fired for installing a program or going to the wrong websites it will keep them on track and using their computer to do their job and not their promote personal life.
Also, devices such as a proxy server that you can control where they go on the internet will help minimize risk by only allowing users to use their computer for their job. This as well as other devices that could detect a virus and "dead end" a user to a VLAN where they cant hurt anything (see www.bradfordnetworks.com again, although costly it really is a decent solution) are the type of investments that can save you down the road.
"If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon."
That is a great theory except it never works that way. You need to give them some sort of guidelines to follow (6-20 char + a number). If you dont give them any guidelines they tend to make it as easy as they can, depending of course on the nature of the person. I have seen top accountants use their initials as their password to the accounting DB and have windows save it because they didnt like to type it. I give biometrics a thumbs up in that respect. You can always count on the end user to do the stupid thing.
Slashdot Mirror
Yes, powering down at night can save you money, and it can reduce your carbon footprint but it sounds like you are trying to use this as a method of securing your network which i would not suggest. As far as powering down your systems, if you have a budget then use it. If you have management software, use that too. Many large networks use some sort of management software, either SMS or something similar. There are always tools available with this. Some good SMS add-ons can be found here: http://www.1e.com/Downloads/Index.aspx (no affiliation aside from that we use the software). These tools give you the option to only shut down computers which no one is logged into, or you can be more strict and force systems to shut down at a specific time, it is very flexible. If you do not have any such thing and you do use AD then simply get creative with your policies. You can use power management policies which were mentioned earlier such as EZ GPO http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo or you can get creative with your logon scripts. Just be sure to test them first. If you are simply trying to thwart viruses maybe you should look into a unified threat management appliance which can stop them at your gateway.
First, on the size network you are working on it would be easier for you to have all of the ports plugged in and to use a method such as gateway device to control access if they all come through a central point (www.bradfordnetworks.com) as well as having decent access control to the buildings. For the physical access control, that is really only feasable in an area such as the server room or a similar smaller area that doesnt change as often. Many companies have the internet connections for their remote divisions as a WAN link through a corporate headquarters so they can manage it.
Secondly, you need to organize the network using VLANs and subnets in a way so that it is easy to control (hopefully this is already done). For example, division "abc" has subnet 172.17.100.XXX and division "def" has subnet 172.17.102.XXX
Thirdly (and this is the big one), you need excellent management of IT at your company. If the users know they can be fired for installing a program or going to the wrong websites it will keep them on track and using their computer to do their job and not their promote personal life.
Also, devices such as a proxy server that you can control where they go on the internet will help minimize risk by only allowing users to use their computer for their job. This as well as other devices that could detect a virus and "dead end" a user to a VLAN where they cant hurt anything (see www.bradfordnetworks.com again, although costly it really is a decent solution) are the type of investments that can save you down the road.
Best of luck to you.
"If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon."
That is a great theory except it never works that way. You need to give them some sort of guidelines to follow (6-20 char + a number). If you dont give them any guidelines they tend to make it as easy as they can, depending of course on the nature of the person. I have seen top accountants use their initials as their password to the accounting DB and have windows save it because they didnt like to type it. I give biometrics a thumbs up in that respect. You can always count on the end user to do the stupid thing.