Information Technology Reference
In-Depth Information
Directory Entries
Software maintenance and update processes should also include regu-
lar reviews of computer accounts and service records. Directory registra-
tions and certificates for failed and replaced systems should be removed
or expired when physical devices are removed from operation, reloaded,
or when securely wiped for disposal. User deprovisioning is also critical
to ensure that residual data files, user profiles, and inactive accounts are
similarly cleaned up on a regular basis. Like sweeping the floor, regular
clean-up practices can help keep garbage from accumulating in the direc-
tory as a result of updates, replacements, and the passage of time.
Passwords
The Internet Engineering Task Force (IETF) published RFC 2196 (Site
Security Handbook) back in 1997, identifying the regular expiration of
passwords as a potential security threat to enterprises. Conventional wis-
dom has always been that regular changes to passwords should enhance
security by blocking brute-force password guessing practices. Modern
enterprise networks have more sophisticated authentication services
capable of automatically locking out log-on attempts after multiple failed
attempts within a specified window of time, alleviating this threat some-
what, but the raw processing power available to attackers now provides
many other, more effective avenues for attack.
Some threats that arise from regular password changes include
increased support requirements for users who have forgotten their new
passwords, selection of very simple passwords and phrases, selection of
passwords that change only minimally and in guessable ways (example:
MyPassw0rd1, MyPassw0rd2, MyPassw0rd3…), or users creating physi-
cal notes of each new password—often stored in discoverable locations
near the operating environment, such as beneath a keyboard or on a
“sticky note” attached to the system monitor.
Note:
Password expiration on a yearly basis has always been acceptable
to my own clients in many different network environments, although I
have always implemented policies for password expiration upon individ-
ual account compromise, any admin account compromise, upon change
in personnel or job role, or upon personnel termination or separation.
