PACE-IT, Security + 5.3: Security Controls for Account Management

Security controls for account management.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certification PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3


– Managing group and user accounts.

– Account policy enforcement concepts.

PACE-IT.

Page 4

Managing group and user accounts.Security controls for account management.

Page 5

Managing group and user accounts.

The problem with individualized user account privileges is that they quickly become difficult to manage and control.

The complexity of this type of network account management just about guarantees that mistakes will happen and security will be compromised. While within smaller organizations and networks, it may be possible to create custom privileges for individual accounts, it is not a network security best practice.The network security best practice is to create individual user accounts, and then to assign the users to groups that have privileges within the network. Group privileges are easier to track and control. Additionally, managing account authorization via groups is less prone to error.


Page 6


– Multiple accounts.» In most cases, it is a best practice to avoid this.

• Each user should be assigned to a single user account—for security and accountability reasons.

• Although this should rarely be done, an exception can be made when system administrators are also responsible for performing non-administrative network tasks.

– Shared accounts.» As a best practice, this should never be done.

• Each user should have his or her own account, which is never shared; if the account is shared, accountability is lost.

– User assigned privileges.» The best practice is to not assign individuals any

privileges.• If a user has complex job duties that don’t fall within a

single group’s privileges, the user can be assigned to additional groups.


Page 7


– Group assigned privileges.» The best practice is to create group privileges based on

the principle of least privilege—the minimum level of access that is required in order to get the job done.

• Specialized privileges can be assigned to groups, and the personnel who require those privileges can be assigned to the groups.

– Continuous monitoring.» User access reviews should be performed on a regular

basis.• Reviews the level of access that users have to the

system to help ensure that the levels are correct.» Implement auditing on groups and accounts to track

employee actions within the system.• Audit logs need to then be reviewed on a regular basis

to help ensure that security is being maintained.


Page 8

Account policy enforcement concepts.Security controls for account management.

Page 9

Account policy enforcement concepts.

– Group policies.» Should be used to deploy and distribute all security

settings on all servers and clients on the network.• As a best practice, groups should be established under

the principle of least privilege.

– Credentials management.» A central credentials management tool and policy tool

should be used to manage account credentials.• This includes how frequently passwords must be

changed.

– Disablement policies.» All unused or unnecessary accounts should be disabled.

• Accounts of employees on leave or vacation should also be disabled.

– Generic accounts.» Shared or generic accounts should be prohibited.

• These types of accounts increase the difficulty of auditing user actions on the network and represent a security threat.


Page 10


– Password policies.» Length: a minimum length should be set; longer

passwords are more complex than shorter ones.• Eight characters is a common minimum length.

» Complexity: requiring complex passwords (e.g., a combination of letters, numbers, and symbols) leads to an increase in account security.

» Expiration: all passwords should be set to expire after a set amount of time.

• The longer a single password is in use, the more likely it is to be cracked.

» Reuse: determine how and when users may reuse the same password—used in conjunction with a password history policy.

» History: tracks the password history of users to prevent them from reusing the same password outside of the reuse policy.

» Lockout: establish a set number of times that a user can attempt to log in before the user account is locked out.

• Prevents hackers from using a brute force attack.» Recovery: a process needs to be in place to recover

passwords and deleted user accounts.


Page 11

What was covered.Security controls for account management.

The granting of privileges to network resources should be managed at the group level and not assigned to individual accounts. Group privileges are easier to track and manage. Each user, in most cases, should have a single user account. Shared accounts should never be used. User assigned privileges are to be avoided. Privileges should be assigned to groups with the users then assigned to the appropriate groups. Continuous monitoring should be in place to help ensure the security of the system.

Topic


Summary

Account policies should be established to increase the effectiveness of any security controls that are put in place. Some of these policies should cover: groups, credentials management, account disablement, generic accounts, and passwords. Some additional account password policies should also be put in place. These should cover: length, complexity, expiration, reuse, history, lockouts, and recovery.


Page 12

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.