May 4, 2008

User Security Issues

User Security Issues

User Education

  • Use caution opening e-mails. Do not open mail from unknown originators.
  • Make users aware of ability for hackers to hide executable files as text or other harmless file types.
  • Users must be educated not to use the same passwords at work that they may use over unsecured connections on the internet.

Password Policies

  • Logon passwords must be changed at least every 90 days (30-60 days recommended).
  • Minimum password age policy - 5 days.
  • Passwords must be at least 8 characters long and use at least two numbers.
  • On Windows Domain networks in the "Domain Security Policy" tool, select "Security Settings", "Account Policies", and "Password Policy". Enable the "passwords must meet complexity requirements" rule. This means at least one character from three of the following categories must be included:
    • lowercase
    • uppercase
    • numbers
    • special characters such as !@#$%^&*(){}[]
  • Passwords must be kept secret and not written down.
  • Don't let programs save passwords.
  • Lock account after 3 failed logon attempts within 15 minutes.
  • Account lockout should be reset by an administrator.
  • No clear text passwords that can allow access to any sensitive information should be sent through any unsecured network such as the internet.
  • The use of clear text passwords that can allow access to any sensitive information on a secure network should be avoided. This means that the use of FTP programs (unless over VPN) should be avoided. Secure Shell (SSH) programs can be used to perform the same function with encrypted passwords.
  • Passwords should not be stored using reversible encryption.

Account Policy

  • Remote users should be disconnected on NT domains after 1-4 hours of inactivity. This keeps users logged off after business hours so attackers can't use an open account to launch an attack from. Also any open files are closed and the tape backup program can backup all files. Open files are not backed up.
  • Set the account policy "Users must log on in order to change password".

Server Policies on Windows Domains

  • Don't rename the Administrator Account, but don't allow it to access the domain controller computer(s) from the network. Create a new account with the same or similar privileges as the administrator and give this account an ability to access the domain controllers over the network. When someone tries to log onto the administrator account over the network, it can be flagged as an attempted security violation.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts