Many clients hate long and complex passwords. They want secure systems, but they don\u2019t want to have to do anything to secure their network \u2013 they want us to do it all. I recently spent an hour with a client answering questions about how secure their data will be once we move it to the cloud. And the very next day, that client asked me to give her a password that\u2019s short and easy to remember.<\/p>\n
![\"toomuchsecurity.jpg\"](\"https:\/\/www.solarwindsmsp.com\/sites\/solarwindsmsp\/files\/toomuchsecurity.jpg\")
We need to work with clients to strike the right balance. Sometimes they are the weakest link. And sometimes we get carried away. Many security experts spend most of their time trying to scare people into compliance. Other times, systems are so locked down that they are essentially unusable for clients.<\/p>\n
Our role as IT professionals is to help clients make money, save money, or offer new services through the appropriate use of technology. We should not be viewed as part of the problem, or people who keep the clients from doing their job.<\/p>\n
You\u2019ve probably seen some extreme examples where a previous consultant has instituted so many group policy restrictions that you can\u2019t unwrap the spaghetti of overlapping policies to actually help the client get their job done. At the other end of the spectrum, we\u2019ve probably all had a client whose password has been their child\u2019s name \u2013 and they\u2019ve not changed it for the past eight years.<\/p>\n
With that in mind, here are five tips for creating a balanced approach to network security.<\/p>\n
As strange as it sounds, managed service providers (MSPs) tend to do two conflicting things with passwords. On one hand, they create draconian password policies (extremely long, complicated passwords that can never be reused, etc.). On the other hand, they make exceptions for the boss, owner, or partners. So the most important people in the company end up with the weakest passwords.<\/p>\n
We like to see passwords changed about once a month. That\u2019s 12 a year. To be honest, on a well-secured Windows system you can make this four times a year or maybe even once a year. Passwords should be long enough (10-12 characters minimum), but recent research shows that most of the \u201ccomplicated\u201d requirements are no more effective than just having a longer passphrase. We encourage clients to use two or three simple words with spaces in between and throw in a number here or there.<\/p>\n
For example, \u201cSuper Tasty F00d\u201d scores 100% at passwordmeter.com even though it does not have a special character. The random character password \u201cQ1a6qRu!\u201d only scores 82% \u2013 and no one will ever remember it!<\/p>\n
Free antivirus programs might be good enough for home use or for very careful clients. But if you spend a lot of time dealing with viruses, you should consider the possibility that your collection of freeware tools is not performing as well as a brand-name for-pay alternative.<\/p>\n
In the big picture, no one saves money by using free tools that don\u2019t quite get the job done. If you\u2019re charging clients to maintain their systems, you should use quality tools. The best way for you to save money on this front is to use a tool that\u2019s centrally managed and always up to date.<\/p>\n
This gets back to clients wanting everything to be easy and for you to get out of their way so they can do their jobs. But with a modern operating system, properly patched, virtually 100% of viruses require administrative privileges to run. Even with \u201celevated privileges,\u201d a non-administrator cannot install these programs.<\/p>\n
You can create a local administrator level account and tell users to put in those credentials if they really need to install something. That way, when something pops up in front of them, they have to stop and think, \u201cDo I really want to do this?\u201d Combine this with some solid user education and the answer will always be \u201cno\u201d.<\/p>\n
Almost no one does this, and I don\u2019t know why. Most routers are \u201cset it and forget it.\u201d But you can\u2019t do that with firewalls. The bad guys aren\u2019t just attacking desktops. The really talented ones are attacking firewalls. That means a) they\u2019re looking for holes that need patching, and b) once they find them, it\u2019s too late.<\/p>\n
You probably don\u2019t need to update firewalls every 30 days, but you should look at them at least once per calendar quarter. If you have a business-class firewall, it may have intrusion detection, antivirus, and other add-on features. Those should be updated monthly. When you have a single point of entry, the bad guys have only one way in, and they can pound on it until they succeed.<\/p>\n
Some days, I think group policies are the worst thing ever invented. We\u2019ve taken on new clients who had literally made their server unusable because they had instituted so many complicated group policies. Nowhere else does the KISS principle apply more: Keep it simple!<\/p>\n
I\u2019m a big advocate of documentation, so of course we document all group policies at client offices. The first question is:\u00a0Purpose of this policy?<\/b>\u00a0Group policies are a great way to implement the password policy above, or to set account lockout parameters. Managing passwords themselves, however, is a bad idea. Group policies store passwords in a lightly encrypted (easy to crack) format. So don\u2019t use group policies to reset passwords on all the local admin accounts on a domain.<\/p>\n
The bottom line on security is that we need to have reasonable, simple policies that result in an effective approach to security. Once you\u2019ve got a handful to simple, easy-to-implement policies, it is very easy to enforce them consistently across all your clients.<\/p>\n","protected":false},"excerpt":{"rendered":"
The bottom line on security is that we need to have reasonable, simple policies that result in an effective approach to security, says Karl Palachuk.<\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-6243","post","type-post","status-publish","format-standard","hentry","topic-msp-business"],"acf":[],"yoast_head":"\n