Bob, your points are not wrong, but you and others who sound off on this topic aren't beginning by determining what the REQUIREMENTS FOR THIS CUSTOMER may be. Your idea of security jumps in without the initial fact-finding step, and moves on to a recommended solution that's somewhere in the middle between none and NSA levels. The customer may indeed want a procedure that has a security consultant come in, do things, and leave with reviewed procedures left in place, and that can be made good enough. That may be enough for him to buy insurance for potential losses and get on with business. If the employees are TRUSTED (as a requirement, despite what any experience may imply), then NOT CHANGING passwords may be a requirement (until turnover events occur). "Ideal security" closely resembles "ideal politics" and is as hard to find :-) Real security (such as compartmentalized NSA levels are) is far beyond anything yet mentioned here, and involves extra hardware at key data flow and control flow nodes. Some of that hardware is pistols for the guards and EMI shielding for the building(s). FWIW, Lucent uses an electronic key as one of the layers in their 3 or so layered approach on certain dial-in accounts: the electronic part of the password is on a serialized unit like a pocket watch and changes its 6 digit code the user must enter (for that security layer) every three minutes and requires a matched and keyed generator at the server end. Best to check whether the requirements call for extra stuff or not. Many are only concerned with keeping viruses out, and are willing to apply formal rules to assure a "trusted" employee, "simple" context. Some of the cost side of the equation is the customer's idea of their labor costs associated with installing and maintaining the proposed solution. --- Chuck > -----Original Message----- > From: tclug-list-admin at mn-linux.org > [mailto:tclug-list-admin at mn-linux.org]On Behalf Of Bob Tanner > > > Quoting Ben Bargabus (ben_b at ppdonline.com): > > none of these people will dump their Windows environments > because it's > > "unsafe", they'll expect you to make it safe. these are financial > > people and are generally uncomfortable with change.). > > I'll speak up here. > > <soapbox> > First, the only safe environment is your mother womb :-P Ok, > the only safe > network/computer/etc is one without any users. This is the > first thing most > security people will tell you. > > Since you gotta have users, then it because risk management. > I know this sounds > like splitting hairs, but keeping management (or the > financial people in your > case) happy you need to manage expectations. IF management > thinks a security > consultant will walk out and their network is "safe" > "forever". That is a bad > thing.