Security considerations when creating a new user account
When a new user is created the network operating system applies certain default options in the account policy for that user. You must then modify these options to coincide with the company's security policy for new user accounts on the network. The following are a list of guidelines that the network administrator should adhere to:
When a new user account is created, the network administrator should set a default password so that when the user logs on to the network the default password is entered, and the user is then prompted to change the password.
All users' accounts, when created, should be included in user groups. These groups can consist of department(s) that the user belongs to, or a group can be created for contract personnel who are performing temporary functions and require network access. It is much easier to manage groups than individual users for network resources.
- Password Age. The maximum password age for a user should be 30 days. Many network administrators prefer to set the password age for 90 days. If network security is a priority, a 90-day password can leave sufficient time for anyone to acquire a user password and perform harmful activities.
- Password Length. The maximum number of password characters for a user should be eight. Anything longer than eight characters can become a problem for the user to remember.
- Password Uniqueness. Allowing users to use a password repeatedly is not a good idea. Keep a password history of at least five to avoid this.
- Account lockout. Set this option to three bad attempts. Prevent users or unauthorized personnel from repeatedly trying to enter passwords to gain access to the network.
- The network administrator should enable the reset count, which is the number of minutes that can occur between any two failed logon attempts for lockout to occur to varying time intervals, with the minimum being 24 minutes. For example, one user account can have 24 minutes another user account can have 27 minutes, etc.
- Set lockout duration to forever. That means it stays locked until you unlock the account.
If a user has dial-up access the network administrator must set the option of forcibly disconnecting remote users from the server when logon hours expire.
Adesh Rampat has 10 years of experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics.
Did you like this tip? If so, (or if not) why not let us know. Send an e-mail to us and sound off. Or visit our tips page to rate this tip, or submit one of your own.
Information Security Architecture: An Integrated Approach to Security in the Organization
Author : Jan Killmeyer Tudor
Publisher : CRC Press
Published : Sept. 2000
An information security architecture is made up of several components. Each component in the architecture focuses on establishing acceptable levels of control. These controls are then applied to the operating environment of an organization. Functionally, information security architecture combines technical, practical and cost-effective solutions to provide an adequate and appropriate level of security.
This was first published in April 2001