Introduction
Security is a very important issue in computer systems and most organizations dedicate significant resources in securing their systems.
Easttom (2006) observes that protecting the system’s perimeters from external attacks and installing antivirus software and anti-spyware does not complete the securing efforts. Proper configuration of the machines is necessary for the network to be considered secure.
Knowledge on how to secure accounts and make adequate use of passwords is therefore very important for computer users and administrators. Easttom (2006) provides recommendations on accounts and passwords from the NSA, Microsoft, and himself.
This paper will discuss other recommendations on accounts and passwords and discuss them with particular emphasis being given to areas in which they differ from recommendations offered by Easttom.
Analysis of Recommendations
Prevention of unauthorized access is a core goal of computer security. The primary means used by many intruders to access the system is by trying the default settings.
Strebe (2004) recommends that the default user account settings should always be reconfigured since they provide an easy starting point for potential intruders who wish to gain access to the network.
Most default settings are not configured to offer optimal security and changing them will increase the security level of the system.
The visibility of the available user accounts should be hidden. By making use of the “Name and Password” option as opposed to the “List of users” option for the login window improves the security of the system.
This is because without a visible list of users, an intruder will have a harder time hacking into the computer since they have to guess not only the password but also the name of the user. Another recommendation is that the password hint feature should be disabled.
While this feature might be helpful for the legitimate user who has forgotten their password, it will also make it easier for an intruder to guess the password and then gain access into the system. SANS (2012) observes that a password hint like “my family name” will easily help an intruder to break into the account.
Even if best practices are followed when opening new accounts, the system can be compromised if the account becomes inactive when the employee leaves the organization.
A malicious former employee whose account is still active can compromise the system from outside since the system still recognizes him/her as a legitimate user. SANS (2012) recommends that an audit of all accounts in the system should be done regularly and all inactive accounts dealt with.
Tracking account will be integral to the security of the system since it will enable the administrator to promptly identify dormant accounts and remove them from the system. User accounts which have not been utilized for a set period of time should be disabled.
While an account is disabled, all the files associated with it should be moved to a secure location to prevent any intruder from accessing them. Monitoring of attempted access to deactivated accounts can help the administrator to identify hacking attempts.
Account lockout policies are important since they prevent a user from making an infinite number of wrong login attempts.
Easttom (2006) recommends a number of account lockout durations, which include 3 hours for the account lockout threshold and 48 hours if someone attempts to crack the password during weekends. After the lockout time has expired, the account is automatically unlocked.
The CERT (2012) recommends that automatic unlocks after the specified lockout duration should not be used. Instead, the security professionals must manually review the case and then proceed to unlock it after the investigation is complete.
By conducting a manual review, the administrator will be able to identify anomalous activity and take appropriate action against it. If the account is unlocked automatically, the unsuccessful intruder might continue with the attempts and eventually break into the account.
Users who make use of their work accounts outside the office might have remote access to their account. Remote access increases the risk that the individual will log in from a public computer therefore exposing their login credentials to others.
The CERT (2012) recommends that remote access should be restricted and specific IP addresses should be used if it is possible. If this is not possible, then concurrent logins should be guarded against and users should only be able to have one active session at any time.
Any concurrent login attempt should be flagged down by the security personnel and a review of the login attempts done to help track attempted hackings.
Easttom (2006) recommends restricting administrator rights to only the users who need such privileges on a regular basis. This notion is supported by SANS (2012) who asserts that uncontrolled administrative privileges might be used to perpetrate attacks against the system.
The CERT (2012) confirms that a hacker who gains access to an account which has administrative privileges can do just about anything on the compromised machine.
Having administrative privileges loosely and widely distributed therefore increases the risks to the system from outside attacks since intruders can access more resources once they compromise an account with administrative privileges.
Administrators normally create accounts for all the users and assign them with a generic password such as “password”. Walshaw (2000) states that once an account has been created, the users should be forced to change password during the next logon.
By implementing such a practice, the scenario where a community of users have the same password will be avoided and the security of the network will therefore be increased.
Strebe (2004) recommends assigning random passwords for each user and having the specific user report to the administrator in person to receive it.
This approach prevents account compromise, which can occur if a user who was allocated an account does not actually need it and therefore never logs on to change the default password
Effective password management is important for ensuring account security. One measure for ensuring this is setting the password age.
Easttom (2006) recommends that the maximum password age should be set at 60days (2months) while Microsoft and NSA both recommend 46days (1.5 months). The rationale behind this is that people are unlikely to change their password unless they are obligated to.
Even then, they are likely to make use of the same set of two to three favorite passwords. Forcing users to select a new password within a given duration of time will increase the security of the network.
This is because such a policy will safeguard against the sharing of passwords since the user will be forced to keep changing their password on a regular basis. However, forcing people to frequently change their passwords might be detrimental to the security of the system.
This is because such a policy will cause users to select very easily guessed passwords so that they do not forget the passwords (Strebe, 2004). In other cases, the user might simply modify their simple password slightly so they can keep reusing them.
SANS (2012) agrees with this notion by suggesting that user-level passwords should be changed in six months. Instead of enforcing frequent changes, users can be required to memorized highly cryptic passwords.
Users are advised to avoid using similar passwords for all their accounts since if an attacker breaks into one account, they can have access to all the other accounts. However, users might have a hard time tracking the numerous passwords used for all their different accounts.
Some might resort to using the same password for every account. This is very dangerous since compromise on one account will lead to security problems at the organization.
The CERT (2012) recommends the use of a password manager to help users store and trace their unique passwords. A password manager is more secure than writing the password on a piece of paper since it keeps the passwords protected at a central location.
Conclusion
Computer systems have many risks and effective security measures must be employed to guard against these risks.
In addition to investing in security measures such as firewalls and antivirus software, the organization should adhere best security practices provided by various authorities in security implementation.
This paper has reviewed some recommendations on accounts and passwords in order to identify the best practices that can ensure optimal protection. By adhering to these recommendations, the organization will be able to benefit from a secure computer network.
References
CERT (2012). Technical Information Paper-TIP-11-075-01 System Integrity Best Practices. Web.
Easttom, C. (2006). Network defense and countermeasures: Principles and practices. Upper Saddle River, NJ: Pearson.
Strebe, M. (2004). Network Security Foundations: Technology Fundamentals for IT Success. NY: John Wiley & Sons.
SANS (2012). Critical Control 16: Account Monitoring and Control. Web.
Walshaw, R. (2000). Mission Critical Windows 2000 Server Administration. NY: Elsevier.