Previous Page | Next Page

  1. Introduction
  2. Your Needs
  3. What to Protect
  4. Security Policies
  5. Security Policy Requirements
  6. Incident Procedures
  7. Security Categories
  8. Software Vulnerability Control
  9. Hostile Software
  10. Network Layout
  11. Traffic Filtering
  12. Mail
  13. Firewall Protection
  14. Network Intrusion Detection
  15. Network Port Scanning
  16. Network Tools
  17. Passwords
  18. Types of Attacks
  19. Protocol Use
  20. Entry Points
  21. Cost
  22. Application Level Protection
  23. System Protection
  24. User Issues
  25. Other Recommendations
  26. Terms
  27. Credits

User Security Issues

User Education

  • Use caution opening e-mails. Do not open mail from unknown originators.
  • Make users aware of ability for hackers to hide executable files as text or other harmless file types.
  • Users must be educated not to use the same passwords at work that they may use over unsecured connections on the internet.

Password Policies

  • Logon passwords must be changed at least every 90 days (30-60 days recommended).
  • Minimum password age policy - 5 days.
  • Passwords must be at least 8 characters long and use at least two numbers.
  • On Windows Domain networks in the "Domain Security Policy" tool, select "Security Settings", "Account Policies", and "Password Policy". Enable the "passwords must meet complexity requirements" rule. This means at least one character from three of the following categories must be included:
    • lowercase
    • uppercase
    • numbers
    • special characters such as !@#$%^&*(){}[]
  • Passwords must be kept secret and not written down.
  • Don't let programs save passwords.
  • Lock account after 3 failed logon attempts within 15 minutes.
  • Account lockout should be reset by an administrator.
  • No clear text passwords that can allow access to any sensitive information should be sent through any unsecured network such as the internet.
  • The use of clear text passwords that can allow access to any sensitive information on a secure network should be avoided. This means that the use of FTP programs (unless over VPN) should be avoided. Secure Shell (SSH) programs can be used to perform the same function with encrypted passwords.
  • Passwords should not be stored using reversible encryption.

Account Policy

  • Remote users should be disconnected on NT domains after 1-4 hours of inactivity. This keeps users logged off after business hours so attackers can't use an open account to launch an attack from. Also any open files are closed and the tape backup program can backup all files. Open files are not backed up.
  • Set the account policy "Users must log on in order to change password".

Server Policies on Windows Domains

  • Don't rename the Administrator Account, but don't allow it to access the domain controller computer(s) from the network. Create a new account with the same or similar privileges as the administrator and give this account an ability to access the domain controllers over the network. When someone tries to log onto the administrator account over the network, it can be flagged as an attempted security violation.