Security

Mike,

Looking for the "politically correct" answer to cut and paste into a manual or the "common sense" answer to live with and hopefully not compromise your network in the process? After 16 years of Sys Admin work in various corporate, military, etc. environments, I have yet to see something on paper that will cover the subject to everyone's satisfaction. When in doubt, use common sense, listen to the user(s), notice voice (uncomfortable, rushed, etc.), DO NOT JUMP ONTO A KEYBOARD to perform "your magic"! Take information regarding user id, phone number, etc. and defer problem to another admin -however, if you ARE the only admin, explain that you are in the middle of an extremely important project, meeting, resolution to a network problem (whatever, to buy some time and slow the process down a little). This activity allows you to think through some things; what kind of activity has been going on on your network? What do the log files say about the last days activity (providing that they aren't compromised already!), did you see anything strange in your daily check of your servers? Do you need to get together with another Sys Admin and review the above questions? COMMON SENSE!! Build it into your "daily" routine and sometimes it even starts to make sense after a while. Hope this rambling helps - Good Luck in your endevour :&gt

To answer your question:
Here are some procedures that I follow:

1. Ask for the user name
2. Extension of the phone
3. Room Number
4. Ask for his director's name (if the user stumbles, you know that something is wrong.) Explain to the user that is for security measures

5. Call the person's Director to see if that user is in fact in the office. (Always helps.)

To Marty R:

I am looking for a "common sense" answer. I'm really more interested in what others are really doing, rather than anything that might be "politically correct" but isn't likely to be followed in practiuce.

I've gotten flack for trying to implement here (it worked great at my last company), but requiring the user's supervisor to authorize the reset via email serves to both authenticate the request AND deters the users from making multiple stupid mistakes with there passwords.

It may also alert the area supervisor to possible security compromises in their area.

One day....

Mike -

Read an article once (here I think?) that discusses this topic. You could implement security cards and readers (expensive and can be lost) or have the person come and show you thier ID (yeah right!). They suggest getting information about the user and leaving the password on the person's voice mail - (most likely they haven't forgotten that password!). Hopefully all the users have a phone and don't write the phone mail password on or by their phones (like here!).
-Rachel

Send the password to their e-mail address