5.3 Implement appropriate security controls when performing account management
Mitigates issues associated with users with multiple account/roles
An administrator need two accounts one is a standard account which has normal privileges that every other employee has this account should be used to perform every day work (regular work by employee) and other is an administrative account which should be configured to have only special privileges needed to perform assigned administrative function this should not be used to perform regular work. This forces user to employ the correct account for the task given at hand. This also limits the amount of time the administrative account is in use and prevents it from being used when administrative access is a risk for example when administrator account is used to access internet, open email or for general file transfer. For users having multiple roles each role should have its own administrative user account. This could mean a user can have single standard account and one or more administrative accounts. This puts extra burden on the user to keep authentication distinct. Use of multifactor authentication will improve security and will prevent single password from being defined for each account.
Account policy enforcement
Passwords used should be strong which consists of eight or more characters which include at least 3 types of characters (uppercase, lowercase, letters, numerals ans keyboard symbols) its should not contain common words, users real name, user name or email address. These features can be implemented as a requirement through account policy enforcement
Password Complexity: Password policy contains requirement for minimum password length, maximum password age, minimum password age, password history retention and some sort of complexity requirement. Passwords are considered strong if consists of eight or more characters which include at least 3 types of characters (uppercase, lowercase, letters, numerals ans keyboard symbols) its should not contain common words, users real name, user name or email address.
Expiration: Password should automatically expire after a fixed period of time forcing the user to change it. Commonly this duration is 90 days.
Recovery: Password recovery option is not good for security. When a password is forgotten, it should be changed. Ability to recover a password requires that password storage mechanism should be reversible.
Length: Password length is an important factor to determine password strength. Passwords of 7 character can be cracked in with in few hours, 8 to 9 character password can be cracked with in few days to weeks. Passwords of 10 or more characters can tough to crack.
Disablement: Disablement or account expiration is an often unused feature it automatically disables an user account at a specific time on specific day. This features can be used for temporary workers or interns whose employment will expire at a specific known date. These accounts can be re enabled and new expiration date can be set.
Lockout: If a user tries to login into an account with wrong password after a set number of login attempts with wrong password account is locked. This is set as 3 to 5 failed attempts in 15 minutes. Only administrator can unlock the account.
Group Based Privileges
It is assignment of a privileges or access to a resource to all members of a group as a collective. This grants every member of the group the same level of access to specific object. Group based privileges are common in many operating systems including Linux and Windows. Each object has 3 types of permissions those for owner, those for group of the owner, and other users. When using group privileges, it is important to consider whether it violates the principle of least privilege.
Copyright © Anand Software and Training Private Limited.