On-boarding/off-boarding.
Standard naming convention for user IDs.
Least privilege.
Time-of-day restrictions.
Location-based policies.
User Accounts - issued to users for authentication.
Guest Accounts
Should be disabled by default with minimal privileges and time limits.
Issued on a temporary basis and usually have an expiration date.
Shared and Generic Accounts
No repudiation.
Examples: conference rooms, kiosk computer.
Restrict as much as possible.
Change the names of default system accounts.
Service Accounts
Used by systems/apps
Restrict human use.
Restrict access rights/authorization.
Set a complex password.
Privileged Accounts / Admin Accounts
Each user should have a separate admin account.
Types: Windows Admin & Linux Root.
Run as a general user and only increase privileges as needed.
Windows UAC (User Access Account)
Linux Sudo
Restrict authorization & increase logging.
Time of Day Restrictions
Limits the time of day a user may log onto a system.
Time blocks for permitted access are chosen.
Can be set on individual systems.
Account Expiration
Orphaned accounts: accounts that remain active after an employee has left the organization.
Dormant accounts: not accessed for a lengthy period of time.
Both can be security risks.
Account expiration can be a set date or number of days of inactivity.
Recommendations for dealing with orphaned or dormant accounts:
Establish a formal process.
Terminate access immediately.
Monitor logs.
Orphaned accounts remain a problem in today's organizations.
Password expiration sets a time when the user must create a new password.
Credential Management
Group Policy
Password Policies / Complexity
Expiration
Recovery
Disablement / Locking
Password History
Allows you to configure how many new passwords must be created before an old one can be reused.
This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually.
Reused passwords are sometimes referred to as rotating passwords.
Password Age
Allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password.
It is a good security practice to enforce a password age of 30 to 60 days.
Some companies force users to change their passwords monthly or quarterly.
This interval should be determined based on how critical the information is and on how frequently passwords are used.
Password Length
Allows you to configure the minimum number of characters that must be used in a password.
At minimum, this policy should be configured to 7 or 8 characters.
Password Lockout
Allows you to configure the number of invalid logon attempts that can occur before an account is locked.
Also allows you to configure the number of days that the account remains in this state.
You may want to configure the account lockout policy so that an admin must be contacted to enable the account again.
Password Complexity
Allows you to configure which characters should make up a password to reduce the possibility of dictionary or brute force attacks.
A typically password complexity policy forces a user to incorporate:
Numbers
Letters
Upper & Lower Case
Special Characters
Weakness of passwords is linked to human memory.
Humans can only memorize a limited number of items.
Long, complex passwords are most effective but also the most difficult to memorize.
Users must remember passwords for many different accounts.
Security policies mandate passwords must expire.
Users must repeatedly memorize passwords.
Users often take shortcuts.
Using weak passwords.
Reuse the same password for multiple accounts.
Easier for an attacker who compromises one account to access others.
Creating strong passwords.
Most passwords consist of:
Root
Attachment
Attack Program Method
Tests password against 1000 common passwords.
Combines common pws with common suffixes.
Uses 5000 common dictionary words, 10000 names, 100000 comprehensive dictionary words.
Makes common substitutions for letters in the dictionary words.
General observations to create a strong pw:
Do not use dict or phonetic words, birthdays, fam or pet names, or other personal info.
Do not use short passwords.
Managing passwords:
Prevent an attacker from obtaining the encrypted pw file.