Account Practices

General Concepts

  • On-boarding/off-boarding.

  • Standard naming convention for user IDs.

  • Least privilege.

  • Time-of-day restrictions.

  • Location-based policies.

Account Types

  • User Accounts - issued to users for authentication.

  • Guest Accounts

    • Should be disabled by default with minimal privileges and time limits.

    • Issued on a temporary basis and usually have an expiration date.

  • Shared and Generic Accounts

    • No repudiation.

    • Examples: conference rooms, kiosk computer.

    • Restrict as much as possible.

  • Change the names of default system accounts.

Account Types

  • Service Accounts

    • Used by systems/apps

    • Restrict human use.

    • Restrict access rights/authorization.

    • Set a complex password.

  • Privileged Accounts / Admin Accounts

    • Each user should have a separate admin account.

    • Types: Windows Admin & Linux Root.

    • Run as a general user and only increase privileges as needed.

      • Windows UAC (User Access Account)

      • Linux Sudo

    • Restrict authorization & increase logging.

Account Restrictions

  • Time of Day Restrictions

    • Limits the time of day a user may log onto a system.

    • Time blocks for permitted access are chosen.

    • Can be set on individual systems.

  • Account Expiration

    • Orphaned accounts: accounts that remain active after an employee has left the organization.

    • Dormant accounts: not accessed for a lengthy period of time.

    • Both can be security risks.

    • Account expiration can be a set date or number of days of inactivity.

  • Recommendations for dealing with orphaned or dormant accounts:

    • Establish a formal process.

    • Terminate access immediately.

    • Monitor logs.

  • Orphaned accounts remain a problem in today's organizations.

  • Password expiration sets a time when the user must create a new password.

Account Policy Enforcement

  • Credential Management

  • Group Policy

  • Password Policies / Complexity

  • Expiration

  • Recovery

  • Disablement / Locking

Password Policies

  • Password History

    • Allows you to configure how many new passwords must be created before an old one can be reused.

    • This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually.

    • Reused passwords are sometimes referred to as rotating passwords.

  • Password Age

    • Allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password.

    • It is a good security practice to enforce a password age of 30 to 60 days.

    • Some companies force users to change their passwords monthly or quarterly.

    • This interval should be determined based on how critical the information is and on how frequently passwords are used.

  • Password Length

    • Allows you to configure the minimum number of characters that must be used in a password.

    • At minimum, this policy should be configured to 7 or 8 characters.

  • Password Lockout

    • Allows you to configure the number of invalid logon attempts that can occur before an account is locked.

    • Also allows you to configure the number of days that the account remains in this state.

    • You may want to configure the account lockout policy so that an admin must be contacted to enable the account again.

  • Password Complexity

    • Allows you to configure which characters should make up a password to reduce the possibility of dictionary or brute force attacks.

    • A typically password complexity policy forces a user to incorporate:

      • Numbers

      • Letters

        • Upper & Lower Case

      • Special Characters

Password Weaknesses

  • Weakness of passwords is linked to human memory.

    • Humans can only memorize a limited number of items.

    • Long, complex passwords are most effective but also the most difficult to memorize.

  • Users must remember passwords for many different accounts.

  • Security policies mandate passwords must expire.

    • Users must repeatedly memorize passwords.

  • Users often take shortcuts.

    • Using weak passwords.

    • Reuse the same password for multiple accounts.

      • Easier for an attacker who compromises one account to access others.

Password Defenses

  • Creating strong passwords.

  • Most passwords consist of:

    • Root

    • Attachment

  • Attack Program Method

    • Tests password against 1000 common passwords.

    • Combines common pws with common suffixes.

    • Uses 5000 common dictionary words, 10000 names, 100000 comprehensive dictionary words.

    • Makes common substitutions for letters in the dictionary words.

  • General observations to create a strong pw:

    • Do not use dict or phonetic words, birthdays, fam or pet names, or other personal info.

    • Do not use short passwords.

  • Managing passwords:

    • Prevent an attacker from obtaining the encrypted pw file.