Win 7 Pro file server with network shares - is this method secure?

tv69 · 09 Jun 2014

Tanya,

Automatic expiring of passwords? Is that set up somehow? We never considered automatic expiration but definitely a manual change somewhere down the road at regular intervals.

Maybe I'm missing something, but the users will never know or need to know the password for shares for their user account to the file server. Shares will be set up once and as long as there are no hiccups the mapped drive should re-map on every reboot. User passwords on local users' computers can be changed at any time with no effect to the shares. If the password to user shares needs to be changed it will probably take 30 minutes tops for an admin to take care of of the changes are remapping of drives on 10 computers. Again, maybe I'm missing something here or maybe I have not explained it well?

As for backup, I agree and a plan is already in place for the short term to swap external backup drives once a week and store them offsite. As an alternative we are also planning a remote offsite backup plan via a software called Duplicati. We will have to test first to see if it is feasible. I don't like the idea of someone swapping drives because generally people will forget or just get lazy and stop the swapping, so I'm hoping the remote backup solution will work well for us.

Thank you again Tanya.

TV

TanyaC · 10 Jun 2014

Hi,

Ok, it is generally a good idea, when setting up a network for a business (even SMBs), to plan out your security strategy. With all due respect, too often things just "evolve" and that's often how problems creep in.

Generally speaking a business would have passwords last a specific period of time, say 90 days, and then expire, at which point users must create a new password. There are a number of policy rules that can be applied to user accounts in the policy editor, which you should have access to (gpedit.msc).

These passwords can be the same on the client and the server. When the user updates the password on the client, it automatically updates it on the server. However, you will get calls from your users when they just don't change passwords and get locked out, mess up the change of password, or just continually lock themselves out of their accounts.

By far the "easiest" solution is to just set up the accounts to never expire. If such be the case, you can set the password on the client PC and the server to be different. The only real advantage that comes to mind is that if they gain access to the server, they will try their client PC password and find it doesn't work.

Of course, the easier the solution you choose, the less secure it is.

What you have to decide, or have the business decide, is how secure do you want things; With increased security comes increased complexity, and in all likelihood, increased support requirements from you.

This really is a business decision. And more often and not they will take the path of least resistance, and the cheapest option, which in the long run will probably bite them on the bum.

Hopefully I'm not confusing you

This is what a user property dialogue might look like.