• Choose a category
• All
• Classic-Fiction

Computer Administration

7-1 Changing global access rights

Policy: A request to change the global access rights associated with an electronic job profile must be approved by the group assigned the responsibility of managing access rights on the corporate network.

Explanation/Notes: Authorized personnel will analyze each such request to determine whether the change might entail a threat to information security. If so, the responsible employee will address the pertinent issues with the requester and jointly arrive at a decision about the changes to be made.

7-2 Remote access requests

Policy: Remote computer access will only be provided to personnel who have a demonstrated need to access corporate computer systems from off-site locations. The request must be made by an employee’s manager and verified as described in the Verification and Authorization Procedures section.

Explanation/Notes: Recognizing the need for off-site access into the corporate network by authorized personnel, limiting such access only to people with a need may dramatically reduce risk and management of remote access users. The smaller the number of people with external dial-up privileges, the smaller the pool of potential targets for an attacker. Never forget that the attacker also may target remote users with the intent of hijacking their connection into the corporate network, or by masquerading as them during a pretext call.

7-3 Resetting privileged account passwords

Policy: A request to reset a password to a privileged account must be approved by the system manager or administrator responsible for the computer on which the account exists. The new password must be sent through intracompany mail or delivered in person.

Explanation/Notes: Privileged accounts have access to all system resources and files stored on the computer system. Naturally, these accounts deserve the greatest protection possible.

7-4 Outside support personnel remote access

Policy: No outside support person (such as software or hardware vendor personnel) may be given any remote access information or be allowed to access any company computer system or related devices without positive verification of identity and authorization to perform such services. If the vendor requires privileged access to provide support services, the password to the account used by the vendor shall be changed immediately after the vendor services have been completed.

Explanation/Notes: Computer attackers may pose as vendors to gain access to corporate computer or telecommunication networks. Therefore, it is essential that the identity of the vendor be verified in addition to their authorization to perform any work on the system. Moreover, the doors into the system must be slammed shut once their job is done by changing the account password used by the vendor.

No vendor should be allowed to pick his or her own password for any account, even temporarily. Some vendors have been known to use the same or similar passwords across multiple customer systems. For example, one network service company set up privileged accounts on all their customers’ systems with the same password, and, to add insult to injury, with outside Telnet access enabled.

7-5 Strong authentication for remote access to corporate systems

Policy: All connection points into the corporate network from remote locations must be protected through the use of strong authentication devices, such as dynamic passwords or biometrics.

Explanation/Notes: Many businesses rely on static passwords as the sole means of authentication for remote users. This practice is dangerous because it is insecure: computer intruders target any remote access point that might be the weak link in the victim’s network. Remember that you never know when someone else knows your password.

Accordingly, any remote access points must be protected with strong authentication such as time-based tokens, smart cards, or biometric devices, so that intercepted passwords are of no