It's spring and time for spring cleaning. The less there is on your system the less there is to go wrong and to fix when something happens. Like closing credit card accounts you don't use to prevent identity theft, deleting any old or unused accounts is a good practice. How often you need to do this for your systems depends. But make sure the intervals are entered on your
A user account should be deactivated/deleted when that account is idle for an extended period, say 60 days, or when the user departs for work in another location for an extended period. If you aren't sure if someone will return, deactivate the account. If he has left the organization, delete the account. Before doing either you may want to use a procedure where you archive the user's home directory to tape or a disk. Alternatively or additionally, if someone is taking over the position and will need the information from the previous user, you can search for files belonging to the user and move them using a change ownership type of function. Don't maintain files for a non-existent user. Also verify that these accounts were removed from any groups they belonged to. For any accounts you don't recognize, create a method you can use to determine how accounts you didn't set up were created. One simple way is to require two people on the IT team to create a user account -- one to determine and ascertain privileges and accesses, and another to create the system account.
Also consider looking at your user groups and updating them as well, especially any privileged or trusted accounts. You may also want to keep a current user account roster for each system you're responsible for, including the names of authorized maintenance personnel. This review is also a good time to make sure generic accounts like guest, temp and field maintenance haven't somehow been restored.
Each system's manuals will have information on how to create, modify and delete user accounts.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia.
We'd love to hear from you, please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in March 2004