PNE on the shop floor is not an option. 2097

  • I represent a large corporation with hundreds of mid size manufacturing facilities scattered all over the globe. We have been given the policy standard of having all passwords will be set to expire within a 45 day period. No user account except a system administered account, one where an application uses account access and not an individual user, will be exempt from this policy and not use PNE (password never expires) status. My problem is in the manufacturing shop floor area we have users who share a generic PC for functions like; label printing, work order management, time and attendance and product drawing retrievals among other functions. We also have around the clock shifts where it could be possible that up to 6 to 10 different users would login to a single PC within a 24 hour period. Right now these PC’s are set to never expire and they all share a generic login to keep it less complicated for the shop floor personnel. Has any one had to deal with multiple user logins on a single PC with expiring passwords? The password management on this alone could cripple a large production environment with constant resets, lockouts and forgotten passwords. Any ideas?

  • Hi Ron and welcome 🙂
    Yes, PNE settings are something that most auditors will critique (and for good reason). Although as you’ve described, these are for low risk factory floor apps. Some ideas:

    1. SOX mandates the protection of financial systems (albeit you always want 1 set of standards and not multiples). If the workers aren’t part of the financial risks that must covered by SOX, maybe an exemption can be granted?
    2. If you can continue current practices, you might place all applications on a special server and even domain (if Windows based) to isolate this special situation from the rest of the affected systems that must comply.
    3. If you must do this, one idea we’ve used (esp. for system service accounts that can break production jobs) is to perform an annual password change on these. If each person must log on/off, I’d add more workstations on the factory floors – or else folks will be spending more time logging on/off than working 😉
    4. I’m not sure if biometric (fingerprint readers) or two factor solutions (e.g., Secure-ID, Cryptocards) would work on the factory floor, but it’d be a positive move away from passwords which is weak security anyway
      I would work with your security area to try to either isolate th

Log in to reply