Last month the 5W/50 series featured the live Web Seminar “Inexperienced Users and Attackers:  A day in the life of Securing SBS 2008.” We just received the Q&A log from that session and thought you might like to hear some of the questions submitted by partners and answers provided by presenter and SBS expert Susan Bradley. If you weren’t able to attend the live version of this event, you can still view it on-demand.

Partner Q: Any idea what HIPAA requirements are for passwords and frequency of changing passwords?

Answer: HIPPA guidance does not explicitly state a guideline of password policy requirements. It is expected that a best effort is applied to meet requirements on the organization. With that said, there are sample policy templates online at locations like http://www.compliancesforum.com/hipaa-password-security-policy-templates.


Partner Q: What would be the purpose of changing passwords when it is only done every six months or more? I have heard the argument that requiring password changes is an archaic practice that actually encourages easy to break passwords or pasting passwords on monitors. Thoughts?

Answer: It's a balancing act. Stale, static passwords over time become easier to share, steal or circumvent because of continued use and a lax sense of security. On the other hand, no one wants passwords changing every month as users will resist such changes by using simpler passwords where they may write them down, use similar or the same passwords on multiple systems or simply reuse the same password forever (if allowed by the OS). Change SHOULD be done, on a regular basis. Find the cycle that seems reasonable to allow your users to use strong passphrases that change regularly, never are allowed to be reused and is not similar to a previous one.


Partner Q: The "Enforce password history" setting allows for a number of passwords, but doesn't seem to have an option for "similar passwords". Got a tip?

Answer: If you check in TechNet, it talks about how it won't allow "similar" passwords depending on your config.


Partner Q: What was the name of the patch management tool you are using?

Answer: Check out http://www.shavlik.com/


Partner Q: For blocking access to sites etc. what are you using for firewall hardware and/or software?

Answer: I use the Threat Management Gateway with filtering proxy, and use monitoring traffic counters with an Intrusion Detection Sensor (SNORT).