What are you importing them into? Active Directory? Open Directory?
Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.
What are you importing them into? Active Directory? Open Directory?
@ Plexer - I wouldn't say 'flawed', but our current policy is not as 'tight' as it should be, hence the overhaul and the introduction of a new policies and data protection training. We have been quite relaxed in the past and this is about to change.
@FN-GM - We have all of users' usernames, these can be exported from AD. I was thinking that we could maybe then import them into some app / software which will then generate random passwords which we can then issue to our end users. And should a user forget their password for example, we can simply look them up and either email or give them a reminder in person.
There is a script you can use on r Mueller site that can store these in a excel file. We use it to generate the initial passwords at year start.
You shouldn't be storing users passwords in any reversible format.
That said, it is not unusual for the master network administration passwords to be locked in a safe in case the NM is 'run over by a bus'.
I would read and reread that policy, because I cannot believe that it says that everyone's password must be known by someone else. I would argue that you are in breach of the DPA if you do.
@GrumbleDook will be able to give you chapter and verse if he is around
Last edited by elsiegee40; 22nd November 2013 at 07:33 PM.
Agreed, I would be seriously questioning anyone that wanted my password or knew my password if i was a normal user. From a data protection point of view it is so wrong.... whats to stop you logging on with on of the passwords and doing something nasty?
Yes as a Network manager you can change a password but then the user would know as they wouldnt be able to log on unless you reset it exactly to what it was?
Our policy is we set a password initially for the staff when they first join... but set it to be changed on first log on.
I would like to know who wrote such a policy and what qualified them to do so. I must say that it sounds absolutely absurd. No self respecting IT professional would ratify such a proposal if it was put in front of them, surely?
There are various routes to issuing initial passwords to users (to be changed ASAP), but to even conceive of storing live passwords long term beggars belief.
By doing this, you'd be introducing a giant gaping hole into your network. It'd mean you'd have to ban users from being able to change their own passwords too.
The whole point of passwords is that only the user using them should know them. Otherwise, you can never be sure that only that user is on that account. So, you'd have no accountability should something go wrong.
Chapter and verse is as follows ... or at least one careful perspective
To meet DPA principle 7 you should take all reasonable organisational and technical measures to secure data.
Normally this would mean that the only people who should know the password of a user is the user themselves. The school should have the ability to change the password or prevent the user change their password, should they need to complete any legitimate investigation of use or breach of school policies.
This is done through this methodology so that the school is reasonably sure that any activity on an account is from that user, and there are no or few opportunities for others to use the account. If others have access to the account you cannot be sure who has done anything with it, risking principles 2, 5 and 7, as well as making it difficult for law enforcement agencies to investigate any breaches of the law (computer misuse act, child protection investigations, etc).
There are times when you might want a need a list though, and these should be considered appropriately. In some schools the class teacher may be required to have ready access to the password for users in their class, due to the age or ability of the learners. This should be treated sensitively by that teacher. The teacher might not be given trusted delegation to change passwords as this can be deemed an admin task and outside of the teacher's role / work. A central list might need to be maintained to be a trusted person within the school for this to be referred back to. The storage of this central list must also be treated sensitively.
The main reasons you don't tend to have the central store is audit and accountability.
Other reasons why schools seek to have the list is to allow any designated member of staff to have access to specified user areas. This might be provided alternatively by the use of permissions on file storage. If you are operating on an cloud based solution that does not offer this level of delegation then again the central list might be deemed the appropriate way to manage risks.
Key to all this? Risk analysis, and taking justifiable and appropriate actions, and ensuring that any changes to risk are dealt with accordingly.
I am not saying that the central policy is right, just that it needs to fit around *your* analysis! and that of the SIRO in the school.
elsiegee40 (22nd November 2013)
Instead, do this.
1. Create a password policy in AD that requires a minimum of 8 characters and strong passwords, as well as a password change at least once a year (more frequent is better, but I understand it is teachers and students you're dealing with).
2. Install a password manager such as the ones from Netwrix or ManageEngine. These will enable your users to setup security questions they can answer to reset their own passwords if they forget them and a delegated admin account you could provide to any techs or even the librarian to reset user passwords securely. These also work great for tablet users who never or rarely log onto a computer on the network to receive alerts about expiring passwords. Netwrix also provides software that will send reminder emails to users when their password is expiring to give them a heads up.
3. Document the new password policy and how to use the password manager and reset passwords. Advertise the heck out of it to your users.
4. Burn the Academy's current Data Loss Policy and create an actual Data Protection Policy based on what you've just implemented. Sometimes it's better to beg forgiveness than ask permission. Especially when you're begging forgiveness for ignoring bad policy and implementing a solution that actually works.
Out of interest, does this academy group manage primary, secondary and special school?
There are currently 1 users browsing this thread. (0 members and 1 guests)