Account Policy Enforcement 4.4

Question 1

Credential Management

Answer 1

The credentials that you use to login are the only barrier between the outside world and your data. Your data is everything. Passwords must not be embedded in the application. Everything needs to reside on the server, not the client. Communications across the network should be encrypted. Authentication traffic should be impossible to see.

Question 2

Configuration Settings

Answer 2

Windows uses group policy management. Windows provides some tools to help with these things.

NTFS permissions or Share permissions will be different. These affect the OS itself and some of the functions people will use daily on their computers. This is linked to Windows Active Directory, so you can admin different sites, groups, organization units.

Question 3

Group Policy Control

Answer 3

Windows has great tools for these functions. It’s basically setting group permissions that apply to all users within the group.

Question 4

Password Complexity and Length

Answer 4

Make passwords strong. No single words, no obvious passwords like pet names. Mix upper and lower case letters, special characters, no leet speak. A strong password is a minimum of 8 characters. Do not allow password reuse.

Question 5

Password Expiration and Recovery

Answer 5

All passwords should expire every 30, 60, or 90 days. Critical systems could be as frequent as 15 days. The password recovery process should not be trivial, make it hard so you can’t get social engineered.

Question 6

Account Lockout and Disablement

Answer 6

Too many bad passwords cause lockouts. It’s best practice to disable accounts because there is often data and encryption keys associated to accounts.