Being lax about network logon password policies is like giving strangers the keys to your home's front door. The logon is your network's front door, and a strict logon password policy is your first line of defense.
Good logon policies and practices are critical today, because most companies have remote workers accessing internal networks via the Internet. These "dos and don'ts" can help IT managers toughen up their logon policies.
Do a careful examination of your password policies, said David Strom, a Port Washington, NY-based network and Internet technologies consultant. During the analysis, ask these questions:
- Is there a minimum length for passwords?
- Does the policy require that passwords include numeric or other non-alphabetic characters?
- Does the policy require that network users change their passwords every quarter and forbid users to alternate between two or three choices?
- Is there automatic lockout of failed login attempts?
Do use some sort of virtual private network for remote users, said Scott Blake, director of security strategy for Houston, TX-based BindView Corp. PPTP (Windows) or SSH (UNIX) should be adequate.
Don't let users procrastinate about changing cracked passwords. "Run Crack (or equivalent) on your password database weekly and force users to change them immediately," Blake advised.
Do set some firm rules for the users of the network, said Olivier Thierry, a systems and operations management expert and senior vice president of strategic marketing for NetIQ Corp. of San Jose, CA. The most important rules include:
- Employees should only log on to the network in order to conduct official company business.
- Employees should not be logged into the corporate network while surfing the Internet.
- Employees who are logged on to the network must lock their workstations when away from their desks. (A screen saver that requires a password is also acceptable.)
Do keep close tabs on userid administration, said Thierry. He offers these userid management dos and don'ts:
- Don't allow userids that have gone unused for a long time to remain active.Usually, disabling a userid that has been inactive for 30 days is advisable. "Notice I said disable and not delete," Thierry said. There are legitimate reasons someone might be off the network for 30 days. In that case, the user can call the help desk to have the userid re-enabled.
- Do make sure that the type of employee can be identified by the userid. For example, there should be some method of identifying userids for employees and userids for contractors. Don't make this identification in the userid itself, because it gives away information to a would-be hacker. Thierry prefers denoting the distinction in the description field. "Make it mandatory that this information is filled out as part of proper user administration," he said.
- Do make contractor ids have restricted logon hours whenever possible. "I also like requiring the contractor's on-site management to sign off, in writing, on removing this restriction," Thierry said.
- Do periodic audits against user logon and logoff. Look for things out of the ordinary, Thierry advised. For example, if Jane Doe never logs into the network after 7 pm, and suddenly her userid login appears after 11 pm. Call Jane and ask her if she's been logging on later. This is especially important when environments have a lot of remote access activity.
- Don't identify service accounts with any special markings. "The first thing a hacker is going to do is attempt to identify service accounts, because they know the odds of those passwords being changed regularly are slim to none," said Thierry. "Be creative!"
- Do restrict sensitive userids to designated workstations or machines. All Domain Admins, for example, should have two userids: one for general business and one for authorized administrative actions.
Do make the logon your first line of defense, all the experts agreed. A company is left vulnerable to attacks of many kinds -- viruses, data theft, invasions of customer privacy, etc. -- when administrators fail to establish policies and appropriate practices at the front door.
