COMPUTER SAFETY

COMPUTER SAFETY.

Please read the following article written by KLC Consulting, compare these policies to the policies you have at work now, or have had in the past. Explain why password policies are good and how they can be manipulated. If a business has a strict account and management policy in place does that make it safe? Why/Why not? Find an article online that reported a network or data security breach, how did it impact the company?

KLC Consulting, Inc.

IS / IT Security Services

Here are some recommendations on your user account and password management.  Keep in mind that your security policies depend strictly on your business requirements!  Security and performance move inversely – the higher the security measures, the lower the performance and efficiency.

  1. Rename the default administrator account Administrator to something harder to guess.  This will prevent people from guessing your administrator account.  Make sure you remember the new administrator account and password.  You will need to login as local administrator to make any changes to the computer configuration, hardware and software installations.

    After you have renamed the administrator account, you should no longer see an account named Administrator .

    Next, create a decoy account.  Create a new user called Administrator , and make sure it does NOT belong to any groups.  In another words, when you click on the Member of tab in the user properties in the User Management window, you should not see any groups listed.  If you do, remove them.  This will make sure this decoy account named Administrator has no access to the server.

    If you have the Audit for logon/logoff turned on, you will be able to detect any logon/logoff activities by the decoy Administrator user account.  You can detect these activities by using Event Viewer to check Security Logs.  This will give you some indication of hacking activities.

  1. Make sure the passwords for Administrator and regular user accounts are changed every 30 – 90 days to increase server security.
  1. Password policies on the Windows 2000 should be changed from the default settings.

Here are default password policy settings:

< palign="center">

Enforce password history 1 passwords remembered
Maximum password age 42 days
Minimum password age 0 days
Minimum password length 0 characters
Passwords must meet complexity requirements Disabled
Store password using reversible encryption for all users in the domain Disabled

 

Here is the default Account Lockout policy settings:

< palign="center">

Account lockout duration Not defined
Account lockout threshold 0 invalid logon attempts
Reset account lockout counter after Not defined

 

Here are some suggested settings for the password policy:  

MS = Microsoft     NSA = National Security Agency     NIST = National Institute of Standards and Technology

< palign="center">

Policy:

Ref. Values:

Rec. Value:

Reason:

Enforce password history   12 passwords remembered Users can not re-use passwords from the past 3 years
Maximum password age MS:  42 90 days User Must change passwords within 90 days.  Usually between 30 – 90 days.  Sys Admin can decide a reasonable value.
NSA:  42
SANS:  45-90
NIST: 90
Minimum password age MS: 2 1 days User can’t reset password within 1 days.  This will prevent intruders from constantly trying different passwords.
NSA: 2
SANS: 1 – 5
NIST: 1
Minimum password length MS: 8 8 characters Usually between 6 – 12 characters.  6-8  characters is a more common length.
NSA: 12
SANS: 8
NIST: 8
Passwords must meet complexity requirements   Disabled (You decide) If set with default passfilt.dll:

  • Passwords must be at least six characters long.
  • Passwords can’t contain the user name.  For example, if a user’s account is bobm , he can’t set his password as bobm, or bobxxx.
  • Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols (+,=,_,*,&,).

 

Store password using reversible encryption for all users in the domain   Disabled (You decide) Usually not set.  Learn more from the Microsoft link below.

 

Here are some suggested settings for the password policy:

< palign="center">

Policy:

Ref. Value:

Rec. Value:

Reason:

Account lockout duration MS: 0 (indefinite) 15 minutes You must pre-determine the system administration costs to justify this value.  You can set to 30 minutes to automatically remove the lockout for accounts, however, most legitimate users will call you anyway when they get locked out.  Note: value 0 means to lockout indefinitely.  99999 minutes is the maximum number allowed for this policy.
NSA: 15
SANS: 240
NIST: 15
Account lockout threshold MS: 5 3 invalid logon attempts Legitimate users should not have to try more than 3 times to get the right passwords.  If they do, the account will get locked out.  The system administrator can investigate this further to find the reason for the lockout.  If many legitimate users are getting locked out, then either this value may be modified accordingly, or someone may be trying to guess passwords to get into the network.  3 attempts is a common value for this policy.
NSA: 3
SANS: 5
NIST: 3
Reset account lockout counter after MS: 30 15-30 minutes The time required before resetting the counter for bad password attempts.  15 – 30 minutes lockout time is usually sufficient.  After this time, the counter for bad password attempts resets to 0.  For example, if this value is set to 15 minutes and a user tried 2 bad passwords to logon to his account at 12:00PM, Windows 2000 has a counter remembering that he has 2 bad password attempts.  At 12:16PM, this counter will be reset to 0.
NSA: 15
SANS: 240
NIST: 15

 

For more information on the settings, you can find details on Microsoft website: Creating User and Group Accounts

 

4.     Make sure users do NOT write down their passwords and post it on the computer monitor, keyboard, or under the desk.  You may laugh, but if you check your users, you will be surprised at the number of users who do this.  If they do need to write down their password for whatever reason, make sure the passwords are stored in a secure location, i.e. locked drawer.

5.     Make sure users do NOT share passwords with other people.

6.     Make sure users do NOT reveal passwords to anyone other than the system administrators and people delegated by the system administrators.

7.     Enable logging for successful and failed logon/logoff events.  This shows you the activities on your system.

8.     If you are a system administrator for a business environment, make sure you set the local administrator account for the desktop users.  Users should NOT know the passwords for the local administrator account.

If you are a home user, make sure you have a strong password for your Administrator accounts.

Click here to have a similar paper done for you by one of our writers within the set deadline at a discounted

Click here to get this paper done by our professional writers at an affordable price!!

COMPUTER SAFETY

Posted in Uncategorized

Leave a Reply