Need Help With HIPPA Password Policies

NetworkingStudent

MSP Need Help With HIPPA Password Policies in a Non Domain Environment

Hello,

I need some help.

My boss has task me with writing some scripts for HIPPA compliance.

The devices are in a non – domain environment.

We need to set max password age of 90 days.

The password needs to be complex.

The computer needs to be locked off after 3 FAILED log on attempts.

The screen needs to lock, after a certain time of in activity.

We want to monitor regesitry keys, so we can make these polices stay in effect.

It's hard to find the registry keys for these passwords locations (I have searched google).

My questions:
1) Is there a max password age powershell script, that sets a password age in a non domain environment?
2) Is there a powershell script that sets a password to be complex?

3) Where are the registry locations/keys for these items?

4) Would it be best to write a script/batch file?
Please see this link
Password Expiration - Change MAX and MIN Password Age - Windows 7 Help Forums

5)

Does anyone have any ideas on how to enforce HIPPIA rules via passwords rules at a MSP?

6) I have told my boss that is it very hard to find powershell commands to set password age,comlexity ect in a non domain environment. Is this correct?


Please note—This is a non domain environment.

Any help at all is greatly appreciated

Repo Man

Can you use local GPO's?

Mitechniq

No need for a password script, just build out your first computer through local security policy, export it when done. You can than import the policy to your other computers. Depending on the amount of computers, you can easily script the import piece. Don't ask me how to do that I'm not a windows guy..

cyberguypr

^ yeah, the article the OP linked even has the Local Security Policy Manager how-to. You can push all sorts of things but my question is, do users have admin access to their machines? I so, they can change everything you push. Is this for internal users or for customers?

Shdwmage

Working in a HIPAA environment I will tell you that I don't think that local GPO will fly. There is no way to enforce and validate that it was taken.

These changes should be done in a domain GPO, but with that not being an option the best thing you can do is set local group polices. You can export and import them I believe through something like what is linked on this page: Florian's Blog » How can I export local Group Policy settings made in gpedit.msc?

Check the notes at the bottom for more useful information.

Shdwmage

By taken, I mean applied to the computer.

Also are you doing things like encrypting your laptops? I don't know if its actually part of HIPAA compliance per say, but if you don't have them encrypted and a laptop is stolen then you have to report a breach.

I have to monitor a software information event monitor every day and search for breaches and changes. Its a real pain in the behind.

ratbuddy

It's HIPAA.

doobu

HIPAA. Sorry. Pet peeve. :P But, Ratbuddy got it first.

Anyway. Good luck enforcing it. I fight it on a daily basis. Constantly. Passwords. Phones with no encryption. E-mails being sent with PHI. It's a horrible, horrible fight and you better prepare for a CMS or HHS audit if you're messing up too much.

It's taken months for me to even get them to LOOK at getting a risk assessment, let alone any type of password enforcement/protection. You're further than we are at least!

When they do these audits, they scrape everything, look under keyboards and desks, time your log outs, check your personnel's knowledge of compliance, password rules, other risk mitigation techniques in lieu of other procedures, etc.

It is so vague and so bad. They fined one clinic here 450,000 for bad billing practices. They had to sell their A/R and building.

NetworkingStudent

Just some Quick replys here:

No GPO's cannot be used... these are work group acccounts. - no domain.

The users don't have admin accounts/rights. However, we have admin accounts on these machines, so that we can run some of our managed services.

These are workstations ...we don't have encrytion enbalbed o/n these devices. Do they need encryption if they're not laptops? Bitlocker ect....

I thought about writing a batch file to enforce the password policy, but that may be hard to automate.

The inif local security policy looks interesting...
I tried finding location this in some virtual machines and my own machine. After runing the MCC snap and adding the security template, I couldn't find the password polcies.

Quick Questions
1) Are there powershell commands that change password rewuirements in a non domain enviroment?
2) I wrote a batch file to change the passwords.

wmic path Win32_UserAccount set PasswordExpires=True
net accounts /maxpwage:90
net accounts /minpwlen:14
net accounts /unique:4

How does the batch file look so far?



I'm learning why AD is so important. Unfortunately, I'm learning the hard way. AD can help control user accounts,passwords, access, and so much more!!! Controlling these things is alot harder in a non domain environment.
Thanks Guys for all the help!!

kiki162

NetworkingStudent wrote: »

We need to set max password age of 90 days.

The password needs to be complex.

The computer needs to be locked off after 3 FAILED log on attempts.

The screen needs to lock, after a certain time of in activity.

We want to monitor regesitry keys, so we can make these polices stay in effect.

Take a look at some of these links below.

https://support.microsoft.com/en-us/kb/324739
Are there registry settings for Password Policies on Windows 2008? - Server Fault
https://gallery.technet.microsoft.com/Windows-bat-script-to-Copy-1403b3ef

aspiringsoul

doobu wrote: »

HIPAA. Sorry. Pet peeve. :P But, Ratbuddy got it first.

Anyway. Good luck enforcing it. I fight it on a daily basis. Constantly. Passwords. Phones with no encryption. E-mails being sent with PHI. It's a horrible, horrible fight and you better prepare for a CMS or HHS audit if you're messing up too much.

It's taken months for me to even get them to LOOK at getting a risk assessment, let alone any type of password enforcement/protection. You're further than we are at least!

When they do these audits, they scrape everything, look under keyboards and desks, time your log outs, check your personnel's knowledge of compliance, password rules, other risk mitigation techniques in lieu of other procedures, etc.

It is so vague and so bad. They fined one clinic here 450,000 for bad billing practices. They had to sell their A/R and building.

The client that I manage has many users who use their usernames as their passwords. They let me enable account lockout, but they will not allow me to enforce password complexity. Regulatory requirements are not a concern here though....

I feel your pain. My former employer was a Bank so I was used to adhering to GLBA requirements.

jmasterj206

I would strongly look into getting the funding to get a domain set up. That way you have an audit trail. You should also have some SIEM software of some type. I've been in Healthcare IT for almost 10 years now and it is a constant battle. You try to make everything as secure as possible and then it always gets throw back in your face saying it is hindering patient care and you lose everything you worked at.

As far as encryption HIPAA guidelines are vague. Every computer that leaves the building is encrypted. Our EHR software automatically encrypts any files that it puts on the machine. All email containing PHI is encrypted and they have the option to encrypt if they are unsure.