so I work for a small IT Consulting company and my only superior is a guy who owns the company and is also the lead consultant. He's quite technically adept, a great problem solver, and he's got a lot of knowledge to draw on. He and I set up and maintain windows domains, small business servers, exchange, desktops, and networks for several small to medium sized companies, essentially being their offsite IT department. He's also absolutely TERRIBLE about password policies...
-He uses the same password for everything where he can. The password for ALL the admin accounts we use for 20-40 companies is the same.
-He also keeps the users passwords in their domain account's description field
-He has no problems asking users for their passwords and directing me to do the same
-He will create passwords by a rule to vary them only when generating them for a large batch of users while setting up an AD environment, doesn't use a very strong rule to vary them (just throws their initials in there) sets them to never expire, prevents the users from changing them, and of course writes them down in the description field.
I don't know how exactly to impress upon him the importance of upping his security practice, so I'd love to hear some worst case scenarios from you guys. we unfortunately don't do anything with the medical industry, so I can't throw any HIPAA documentation at his head, because that's the first place I would start.
also, I haven't quite found it yet, but is there a way for people who are not domain admins to view another user's description in Active Directory? I feel like there probably is.
and remember, this is my boss, the owner of the company, and an otherwise technically proficient guy. it's just... the passwords... ugh...
↧
CTO Securitard
↧