The weakest security link in any network is authorized users. That their actions could expose their organization to a major security breach, resulting
in damaged systems, stolen or destroyed information, malware infection, and so forth. There
might also be legal issues to deal with after an attack, and a company can lose customers’
confidence as a result.
Companies should take steps to address this vulnerability. A comprehensive password policy is critical, as a username and password are often all that stands between an attacker and access. A password policy should include the following:
Companies should take steps to address this vulnerability. A comprehensive password policy is critical, as a username and password are often all that stands between an attacker and access. A password policy should include the following:
-
● Change passwords regularly on system-level accounts (every 60 days at minimum).
-
● Require users to change their passwords regularly (at least quarterly).
-
● Require a minimum password length of at least eight characters (and 15 characters for
administrative accounts).
-
● Require complex passwords; in other words, passwords must include letters, numbers,
symbols, punctuation characters, and preferably both uppercase and lowercase letters.
-
● Passwords can’t be common words, words found in the dictionary (in any language),
or slang, jargon, or dialect.
-
● Passwords must not be identified with a particular user, such as birthdays, names, or
company-related words.
-
● Never write a password down or store it online or in a file on the user’s computer.
-
● Don’t hint at or reveal a password to anyone over the phone, in e-mail, or in person.
-
● Use caution when logging on to make sure no one sees you entering your password.
-
● Limit reuse of old passwords.
In addition to these guidelines, administrators can configure domain controllers to enforce password age, length, and complexity. On Windows 2000 Server, Server 2003, or Server 2008 domain controllers, some aspects of a password policy can be enforced, such as the following:
-
● Account lockout threshold—Set the number of failed attempts before the account is
disabled temporarily.
-
● Account lockout duration—Set the period of time the user account is locked out after
a specified number of failed logon attempts.
-
● Account lockout threshold—Set the number of failed attempts before the account is
disabled temporarily.
No comments:
Post a Comment