I was thinking more about controlling rules in Exchange. If HR need to be involved to get something enforced then I may as well forget it.

@JaredBusch said:

. If they are caught, then you discipline them per the policy.

That's HR's function, I try not to get involved.

How do you enforce something like that?

I'd be interested in ad-hoc consultancy on a pay by the hour basis. I don't see how you can offer a fully managed service only out of hours though.

I'm not sure it would work for us with you living on a different continent though :(. If I was looking for remote support from overseas, I assume I'd better off looking at India rather than US for cost reasons. But you never know.

And just to clarify, I didn't start this thread and have no dog in this fight. I don't fear e-mail. I'm just saying what I do, and am interested to hear what others do, and why.

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

@scottalanmiller said:

What makes the external nature of someone seem distrustful to you but not someone internal? It's the same pool if humans.

Nothing at all. It just so happens that there are a couple of people at work that I would trust with my life. I don't have that kind of relationship with any of my external partners. I'd like to and maybe someday I will.

I'd trust you I just don't trust them.

Another example. Our ERP vendor. Biggish company. Part of Infor. They decide to publish all their support calls on their customer portal as part of a knowledge base. So now I can search other companies support calls to solve my own problems. It's great. But one day, I find a support call that lists the modem number, username and password to remotely access another company's Unix system. They've basically published this information to all their clients around the world.

My point is, some, but obviously not all, IT companies fail to take their client's security seriously and I think they should know better. This was definitely the case when I was a programmer for a software house - I had no idea about security and no-one ever told me.

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

@JaredBusch said:

I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.

Went off the handle, LOL. Firstly, I don't consider changing passwords a waste of time. I probably don't change them enough. Secondly, it's the principle of the thing that annoys me. Bad practice is bad practice. I don't keep passwords listed in Word documents. I don't think they should either.

@scottalanmiller said:

Technology doesn't change the choices. It might appear to, but it really doesn't.

It doesn't change the choices but it changes the solutions. Creating a procedure that allows a colleague to grant admin privileges to external agents isn't a trivial task.

@scottalanmiller said:

@Carnival-Boy said:

I trust them to work on my systems. I don't trust them to prevent credentials from getting into the wrong hands as a result of their sloppy security procedures.

You can't differentiate. Distill what you wrote to "I don't trust them."

So, you can't use them. That's your answer there.

I don't trust anyone external. But I have to take a holiday.

I trust them to work on my systems. I don't trust them to prevent credentials from getting into the wrong hands as a result of their sloppy security procedures.

At the moment they can only come in if I let them, by enabling their AD account. The problem is who let's them in when I'm not here. If my colleague does this, how do I make it easy for my colleague? Alternatively, I could enable their accounts before I go on holiday, and disable them when I return.

In the days before remote access, they would have to physically enter the building to do any work. There are checks in place to prevent anyone walking in to the building (ie visitor management & security procedures). How do I replicate the physical management procedures in the on-line world? I need a robust system that balances the risk of unauthorised access versus the risk of downtime as a result of no-one being able to access something that needs fixing.

I'm not sure I follow you. What's the purpose of the break-glass system? They still have full access, so it is just as insecure, right?

A break glass system (nice term, btw) wouldn't prevent unauthorised access as a result of stolen credentials though. By the time I get the alarm, it is probably too late to do anything.

I worked for a Japanese company for a while, and many of the staff there would bring in sleeping bags and lie down on the floor in them at lunchtimes. That's some serious napping. I don't know if this a typical Japanese custom, or the company was just weird.

This never happens with on-premise