10 best practices for Windows workstation password changes over a VPN – TechRepublic

10 best practices for Windows workstation password changes over a VPN – TechRepublic

Getty Images/iStockphoto

Remote work is now a way of life for many employees, and getting support for technical issues can be more challenging and time-consuming. For many workers, the days when they could bring their equipment over to the help desk (or even have it come to them) while on premises are gone or largely reduced.

As someone who works 100% from home, I am well aware that not only is my connection to the internet my lifeline for work, but access issues can quickly ruin my day … or several days.

Case in point: One of the most stressful remote work experiences involves mandated Windows password changes on a company-issued laptop. This process must be performed while connected to the VPN so the laptop can communicate the password change to the Active Directory Domain Controllers. Everything is tied together; going forward you must be able to log into Windows to log into the VPN to obtain the necessary access.

Networking: Must-read coverage

But if your password change goes awry, you’re now in a sort of catch-22. You can’t get into your workstation to launch the VPN to try to correct the problem with another password reset on your own.

Worse, while your help desk can easily reset your Active Directory password to something new, that’s not going to help you log into your workstation if you’re off the VPN since it can’t communicate with Active Directory to authenticate.

You’re dead in the water. You might even have to ship your laptop to the help desk for remediation, or at the very least wait for them to ship you a loaner.

And flubbed password resets have happened to me—but fortunately I had an office 20 minutes away that I could drive to in order to get this resolved. That office no longer exists.

Ideally companies will set up public-facing password reset portals for employees that rely on multi-factor authentication, whereby you can log in with VPN credentials and then reset your associated Active Directory accounts. However, not every business offers that advantage.

Experience has taught me that these 10 best practices for remote password changes can help ensure smooth sailing.

SEE: Windows 11: Tips on installation, security and more (free PDF) (TechRepublic)

1. Set a calendar reminder for when your password will expire

Not only is nothing worse than being broadsided finding out your password expired, sometimes this can preclude access entirely (depending on the company/Active Directory policy). Find out when company passwords expire (the help desk will know): 60 days is a common setting. Set a calendar reminder on the day of your next password change and have it recur, say, every eight weeks (56 days in the case of a 60-day expiration policy) to reset your password before the clock runs out.

2. Make sure to change your password at least 24 hours in advance

On a similar note, don’t skip the reminder and wait until the last second to pick a new password. The bare minimum should be 24 hours in advance of the expiration time, as I’ve found passwords need a bit of time to settle and synchronize (even in local on-premises environments).

3. Get anything critical done first

On password reset day, I recommend taking care of any urgent issues your day requires before changing your password. If something goes wrong you’ll at least have the peace of mind knowing your critical tasks were performed.

4. Time the password reset for the middle of the day

It’s tempting to wait until the end of the day to enact a password reset since you’re just about to be off the clock anyhow. However, the help desk staff may well be, too.

If you reset your password around lunchtime, chances are you’ll not only have that time period to seek assistance but several hours remaining in the workday.

Now, many help desks are global and staffed 24x7x365, meaning you could get support after hours, but chances are you’d prefer to spend as little of your free time as possible obtaining assistance.

5. Write down your help desk’s number

I found this out the hard way after I had to call a colleague for said number when a password change went wrong. Many companies put the help desk hotline right on the desktop of company-issued machines, or add the URL to their website in the browsers, but if you can’t log in you can’t get to either.

I taped the help desk hotline written on a Post-It note on my company laptop. That’s helped me out more than once.

6. Set up an alternate account if allowable

This one may be a swing and a miss depending on company policies, but if you can set up (or have set up) an alternate Windows account for emergency purposes you can log in with that, then connect to the VPN so a new password issued to your own account will be registered on your laptop.

Many help desks already have backdoor accounts on company-issued workstations for this purpose and hand out the password to users in emergencies. They can then reset these passwords to discourage users from accessing the backdoor accounts without authorization.

7. Test type the password before you change it

Pick your new password then open Notepad, Word or a command prompt and type it in to visually confirm all characters appear. This will rule out any problems with your keyboard.

It sounds far-fetched, but a sticky Shift key once almost gave me an ulcer because the “#” in my password was being entered as “3” and I kept locking out my own account.

8. Save the new password in a password manager

Before you change the password, save it in a local password manager such as KeePass or Password Safe. I am an enthusiastic advocate of KeePass, as it has made password management so simple for me. It can store all your passwords including prior versions thereof, and can even generate passwords for you, but there is one caveat …

9. Memorize the password in advance

Having a password manager generate passwords for you to use as your point of entry to your workstation is a bad idea unless you have an excellent memory. The most basic type of password it can issue is a 40-bit password like ffc12844a1, which works well for a URL you will access after you log in (and you can just copy and paste the password in without ever really knowing it), but not so well unless you plan to spend at least five minutes typing this in over and over to memorize it.

A better option is to pick a personally meaningful password — but not too meaningful. I use passphrases to create passwords, such as “I love Red Sox baseball in the spring #1” (note: not my actual password), which could also be truncated to IlRSbits#1 using the first character of the words shown.

You don’t want to create some whiz-bang fancy super-secure password that you’ll forget in seven minutes. And I can’t encourage writing company passwords down on paper.

10. Lock your screen rather than reboot

I saved the most important tip for last. When you change your Windows password do not reboot. Stay on the VPN and lock your screen with the Windows-L key combination. Your workstation will continue to communicate to Active Directory. If the password change didn’t take or your account ends up locked out, the help desk can reset/unlock it and that should hopefully allow you to log into the workstation once more.

Source: https://www.techrepublic.com/article/10-best-practices-for-windows-workstation-password-changes-over-a-vpn/