Hello all, I am not an admin but sometimes you wear more hats than you would like. Just a quick question on user ID management…not requiring a solution but just looking for suggestions. We have been rather lenient in the application of our licensing structure. We are a medium sized company with about 400 client seats between two companies in two domains which are fully cross certified. Normally when setting up new users we follow a procedure which entails setting the password requirement minimally, to 2 characters. We default everyone to the same password, and allow them to change them on their own as they desire. We have not experienced a security breach, but have decided to act pre-emptively and refine the means by which we approach this layer of security. We need to be able, ideally, to maintain copies of all user ID’s with the original, vanilla password so that if necessary we can log into notes as that user. The thinking is to leave a copy of each ID within their person documents, for our access only, and set the ID file to also be creeated on a designated share, to be distributed as the user is configured. Is there a way to force the password to be changed upon first use, as in windows? Also, this approach is an idea…other perhaps better ideas would be welcomed. Thanks!
Subject: Question on managing ID’s
I will piggyback Andrews questions, I think the question is better worded as follows:
How do other companies manage their Notes ID security. We would love to be able to have users be forced to create their own passwords to meet a certain security threshold (atleast one number and 6 alpha characters for example). How do we do this while still allowing admins to use these ID files as needed. As it stands now, if a user changes their password, they do so w/o admins knowing the password. If their ID gets lost, we as admins need to create their account from scratch unless we keep another copy of their ID with a global password.
Perhaps we are just approaching this whole scenario incorrectly, how do other companies manage their Notes ID authentication security specific to ID file management/admin??
Many thanks in advance.
Martin
Subject: RE: Question on managing ID’s
Two words: “Password recovery”. Your back-up id files should be maintained in an escrow database (which will be an automated process). Your admins have no business knowing your users’ passwords, nor should they ever have occasion to log in as a given user without that user’s full knowledge and permission. (Post-termination issues or actions during suspension can still be done using the recovery id.) Password strength settings are your normative policy control over passwords.
Anything else is opening a huge security hole in what is otherwise an extremely secure platform.
Subject: RE: Question on managing ID’s
Thanks Stan…I will look into that.
Subject: Question on managing ID’s
I think I worded this ambiguously…“We have been rather lenient in the application of our licensing structure.”
Actually, :authentication security" would have been the accurate way to sum it up, rather than “licensing structure”.