{"id":48,"date":"2007-06-28T16:48:22","date_gmt":"2007-06-28T04:48:22","guid":{"rendered":"http:\/\/craig.dubculture.co.nz\/blog\/2007\/06\/28\/fixing-the-password-problem-on-small-business-networks\/"},"modified":"2007-06-28T16:48:22","modified_gmt":"2007-06-28T04:48:22","slug":"fixing-the-password-problem-on-small-business-networks","status":"publish","type":"post","link":"http:\/\/craig.dubculture.co.nz\/blog\/2007\/06\/28\/fixing-the-password-problem-on-small-business-networks\/","title":{"rendered":"Fixing the password problem on small business networks"},"content":{"rendered":"

I've been involved in commercially supporting Windows networks for almost 5 years now, having dealt with a hundreds of users across dozens of different companies.\u00a0 Most of the clients we support are \"small businesses\", which makes sense, as it is quoted that as 97.3% of private enterprise in NZ is small\/medium sized, accounting for 49.4% of private sector employment<\/a>.<\/p>\n

These companies, in the most part, don't have the infrastructure for a large, homogeneous IT environment.<\/p>\n

And you know what?\u00a0 They couldn't care less.<\/p>\n

They make do with what they always have - buying PCs piecemeal, having Office 2000 on some PCs and Office 2003 on others, and - the kicker - knowing everyone else's passwords, instead of sharing data.\u00a0 Even though products like Microsoft Exchange allow you to do things like delegate access to someone else's mailbox, they still claim they need to all have their passwords set to 'password', or documented in a book, in case they need to sit at someone else's PC.<\/p>\n

People don't do what PCs suggest they should do. No one really wants the multi user functionality that PCs have now.\u00a0 In small business, people want to be able to use the line-of-business application, a web browser, and access their own e-mail and files. They might like the idea of having some personalisation (some care for it, some don't), but overall, having to log out as you and log in as me takes longer than the effort required just to use the application as set up on your profile.<\/p>\n

So, as a sysadmin, I want people to use strong passwords.\u00a0 I have to wean them off the idea of needing someone else's password to get at their data.\u00a0 And I want to work how they work, not how I think they want to.\u00a0 They want the desktop you use when you're filling in for someone to look like it did when they were learning over the first person's shoulder.<\/p>\n

The primary solution put forward by Microsoft is \"roaming profiles\", where you can log into any machine, and have your applications loaded.\u00a0 Say you've got a shortcut to Word 2003 on your desktop, and you roam that profile to a machine with Word 2000 on it.\u00a0 Doesn't work.\u00a0 Good for volume licensed customers with the same software on all PCs, but not good for us.\u00a0 Doubly bad when you look at how people actually work - the accounts clerk has MYOB and payroll software installed, some managers will have banking software for authorising transactions, sales people may have a line-of-business application that analysts don't need, etc.\u00a0 It's not worth ensuring that the software is on everyone's machine, it means unnecessary licensing costs, and in the case of things like payroll software, people want to know it's not available to everyone.<\/p>\n

So, roaming profiles are out.<\/p>\n

When someone is away, their mail and phone are diverted, but their PC sits there unused, or someone has to sit at the desk - they try and find the icons you used to click, but their new profile doesn't have the shortcuts, or the per-user registry keys required for some random application.<\/p>\n

Let's look at some other possible solutions:<\/p>\n

Terminal services or Citrix MetaFrame<\/strong><\/p>\n

Put everyone on a thin client and make everyone use a central server.\u00a0 Good plan, large investment required, takes a lot of time to change from an office of fat-clients to a thin-client environment, and not all SME apps are TS friendly.\u00a0 Also, if you scale to needing more than one TS, then you're back at square 1 with needing the apps to be in synch across two machines.<\/p>\n

Virtual machinery<\/strong><\/p>\n

Abstract the access away from the machine - have a bunch of passwords all able to unlock the same machine.\u00a0 Wasteful.<\/p>\n

Change someones password temporarily if you need to use their account<\/strong><\/p>\n

Tried this<\/a>.\u00a0 At present, there is no way for the Administrator to change someone's password, store the original hash, and set it back at a later date.\u00a0 I think it's worth implementing though.<\/p>\n

Cheat biometrics<\/strong><\/p>\n

Biometric sensors, like the fingerprint scanner on my T60 laptop, can be 'cheated': in an office of 10 people, with 10 fingerprints able to be stored, why not store everyone's fingerprint on everyone's computer?\u00a0 Requires buying a scanner for everyone's PC.<\/p>\n

Insecure machine accounts, delegated access to data<\/strong><\/p>\n

Why not have everyone have a 20 character password, but have a single password for logging into the machine in the morning?\u00a0 You could have a \"machine user\" account on each machine, and delegate e-mail access for everyone necessary to the machine.\u00a0 A bit more administrative overhead but a possible solution.<\/p>\n

Craig's \"Silver Bullet\" answer<\/strong><\/p>\n

My favourite suggestion is delegating access to your profile, or your profile\/PC combination.\u00a0 This is what Exchange lets you do now with e-mail - why not extend this to user accounts also?\u00a0 Presumably, the component (a \"GINA<\/a>\") that that handles authentication for the fingerprint reader, could be made to start loading another account, separate from the one you entered the password for?<\/p>\n

Therefore, we can have a 1:1 mapping of people to passwords, so no-one ever has to know anyone else's, and then we can have a 1:many between computers and users, without needing messy multiple profiles.<\/p>\n

Anyone see any problems with this approach?\u00a0 If not, why haven't you written it yet?\u00a0 Look perhaps at pGina<\/a> as a base. My (ex-)small businesses will pay.<\/p>\n","protected":false},"excerpt":{"rendered":"

I've been involved in commercially supporting Windows networks for almost 5 years now, having dealt with a hundreds of users across dozens of different companies.\u00a0 Most of the clients we support are \"small businesses\", which makes sense, as it is quoted that as 97.3% of private enterprise in NZ is small\/medium sized, accounting for 49.4% […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[66],"tags":[27,4],"_links":{"self":[{"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/posts\/48"}],"collection":[{"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/comments?post=48"}],"version-history":[{"count":0,"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/posts\/48\/revisions"}],"wp:attachment":[{"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/media?parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/categories?post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/craig.dubculture.co.nz\/blog\/wp-json\/wp\/v2\/tags?post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}