Analyze risks and identify threats to accounts :
The Account for a User determines the actions that the User can perform.
The classification of accounts will indicate different levels of protection.
Account type
Reliability
For example
External users
Low
User accesses Web server (anonymous user), business partners .
Internal staff
Medium
Contract staff, official staff .
Administrator group
High
System administration rights, services, organizational data .
Accounts on the system will receive 2 basic rights :
User rights : A type of privilege that a User is allowed by the system to perform special actions (eg: Right to Backup Files and Folders, change system time, system shutdown .).
On Windows you can type command secpol.msc at RUN, to open Local Security Settings local policies User rights assignment is the place where the system rights are set.
Permissions: Controlled by the system's DACLs (Discretionary access control lists) , allowed to access files / folders or Active Directory objects (in Domain) (eg User A is entitled to Read / Modify for with C: Data Folder, User B is Full Control for Business OU .).
Note in the allocation of Permission for the account, should put the account into the Group to easily control, avoid the decentralization of personal rights to a certain account. This enhances account control, because as the number of system accounts (Local or Domain) increases, this organization makes it more secure and easy to control.
Loopholes from Account can create an opportunity for an attacker :
Password:
The password is too weak (the password length is too short, the characters are simple, take the date of birth, the names of movies, place names, famous characters, set the password).
Use the same password for multiple accounts. The password is randomly assigned to Monitor / Keyboard, or save the password to an unprotected text file.
Share your system password for colleagues .
Privilege allocation:
Issuing Administrator privileges for Users.
System services do not use Service account.
Issuing User right is not required for the account.
Account usage :
Log-on to the machine with the Administrators account when performing common tasks.
Create user accounts that allow administrative rights to other accounts. Activate accounts that are no longer used (for example, employees who have retired, accounts still circulated on the system .)
Designing a password generation policy to ensure security for Account :
The policy of creating a password for security is one of the main factors to protect your account. This policy includes the following key elements:
Maximum password age: Maximum expiry date of the password before the user has to change the password. Changing your password periodically will increase your account security.
The minimum password time must be used before changing the minimum password age. Admin can set this time for a few days, before allowing the user to change their password.
Execute password history: The number of times different passwords must be used, before returning to the old password. The higher the number of Password history, the greater the security.
Minimum password length must be set. The longer it is, the safer.
The password must meet the complex requirements: not only in length but also in the complexity of the password set characters (for example, you can see the difference between the password and P @ ssW0rd).
When using a complex password, care:
Do not use first and last names
Contains at least 6 characters
You can mix uppercase, (A.Z) often (a.z), and special characters such as:! @ # $% ^ & * ()
Account lockout: Account will be locked for a certain period of time, if after some time log-on fails on the system. The purpose of this policy is to prevent brute force attacks on accounts to detect passwords.
The above are the core issues in creating and managing Account so that it is safe to meet the strict requirements of the organization's information security policy and for the Security Admin to think about this issue. should be negligent or indifferent, because this is the first 'entry' that attackers always prioritize in exploring and exploiting weaknesses of the system.
Article posted:
How to secure an organization's computers - Part I
New Horizons VietNam (New Horizons Computer Learning Centers)
Ho Viet Ha
Instructor Team Leader
Email: hvha@newhorizons.com.vn