We are being asked by the Attorney General, our auditors and
our CIO to force passwords to expire every 90 days in Raiser’s
Edge. From what I found in the Knowledgebase there is nothing
in Raiser’s Edge to allow us to force a user’s password to change
or expire. How are you dealing with this issue and how do you
provide proof to your auditors? Also, how do you track whether
a password has been changed or not?

We have about 1/3 of our users on Windows Authentification.
The CIO does not want to expire their Windows Network login
password so those using Windows Authentification will have to
be asked to change their network password. IT will be able to
show who has not changed their password so we can lock them
out. How do we lock a user out or make their account inactive
without deleting them?

I have never heard of such a request before (from an Attorney General no less) but why would they ONLY want RE passwords to expire and not want their network passwords to expire?  We have more strict guidelines here which force us to change our network passwords every 40 days (HIPAA, etc) but no one has asked me to do this in RE yet.  In order to do it I would simply switch people to windows authentication.  

I am quite shocked that you have a CIO who does not insist on expiring network passwords - it has become the standard and right now is the only way I know of to accomplish this task.  I would go above your CIO if you can and insist that they take another look at general network security overall which would help you secure RE.

Our President got a letter from A.G. Blumenthal in April 2008 strongly urging, "Each institution of higher education, as a matter of basic trust, should take, at a minimum, the following steps:" and then it lists 9 different measures. Our CIO is responding and wants our RE database as secure as the main University system is. Only Advancement is using Raiser's Edge. We went live July 28th. The University uses Sungard SCT Banner for the rest of the University. Passwords on the Banner database expires regularly.

The problem really is not the Windows Authentification, because only about a 1/3 of our Raiser's Edge users can use that. Most of our users must use the Raiser's Edge authentification if they are to use reAnywhere while they are traveling. Thus the issue of how to force user's to change their passwords and how to prove it to the auditors that a password was changed or not. The other issue is how to lock out a user or make their account inactive when they have not changed their password.

In my opinion, RE is as secure as the main University system if your CIO is not requiring expiring network passwords.  I am not in higher ed so we did not get this letter so I do not know what the 9 steps are.

I do not use RE: Anywhere and that may add one more hurdle in your attempt to comply.  What I have used is either Citrix or VPN to have users login from offsite.  With VPN (which is my preference) users login from offsite directly to the computer at their desk and use the same security they would use if they were on-site.  And you could then use Windows Authentication for 100% of your users.

I wish I had better advice for you.  I assume you have contacted Blackbaud.  What was their response?