Increasing Awareness of Social Engineering Attacks

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Users must be cautioned against sharing their passwords with others. All legitimate users have their own accounts, and any administrator who needs to complete a task for a user can do so by using his or her own account, without knowledge of the user’s password. Tasks such as the resetting of a user’s password or the unlocking of a user’s account do not require the use of a password.

One effective and simple way that an attacker can compromise the security of a system is to call users, claiming to be from the help desk, and request their passwords. Because users feel compelled to help solve problems, they are not motivated to question the authenticity of the caller. Caution users to beware of such calls and assure them that it is appropriate to be skeptical of requests for their passwords. Establish a procedure by which users who receive calls of this type request the caller’s name and number and call them back. In this way, they can ensure that the call is legitimate before they reveal sensitive information.