A very common scenario in many workplaces, security vs. end user compliance and or convenience. Now, this battle requires each party to give a little in order for the organization to become more harmonious and secure. Both parties have justification for the current policies and actions as they relate to the organization; Administrators seek to prevent malicious acts or computer theft while end users seek to perform the tasks assigned to them.
The immediate risk with the current situation pertains to passwords being written down and stuck to the CRT. This provides a visible breech in security that would be hard if not impossible to trace back to anyone but the user who allowed his or her password to be easily compromised. At that point the organization is left with no choice but to seek punitive action against the employee for the malicious acts. However, there are ways to avoid this in the scenario.
First, the organization needs to consolidate administrators. Instead of assigning passwords and user Ids to hosts and LAN, the passwords and user ids should be assigned to resources. An example of this would be to place the users in Active Directory and use the Group Policy Management Console to assign resources.
User Ids and passwords are also different on servers within the DMZ or outside the firewall. All passwords are changed every 90 days and the user through three cycles is not allowed duplication. User education seems to be in the organization’s best interest, which includes punitive actions when a password is found at a workstation.
However, I have found the best course of action is education, consolidation of passwords the user is required to maintain at one time, and careful monitoring of the network. If everyone in the organization shares the risk to some extent they seem more willing to comply. An example would be to tie the HRIS system into the passwords and educate the user that if their password is compromised their family may end up with no benefits if their status is changed.