The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [154]
7-20 Default passwords
Policy: All operating system software and hardware devices that initially have a password set to a default value must have their passwords reset in accordance with the company password policy.
Explanation/Notes: Several operating systems and computer-related devices are shipped with default passwords—that is, with the same password enabled on every unit sold. Failure to change default passwords is a grave mistake that places the company at risk.
Default passwords are widely known and are available on Internet Web sites. In an attack, the first password an intruder tries is the manufacturer’s default password.
7-21 Invalid access attempts lockout (low to medium security)
Policy: Especially in an organization with low to medium security requirements, whenever a specified number of successive invalid login attempts to a particular account have been made, the account should be locked out for a period of time.
Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is necessary to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to lock out an account whenever the desired threshold of successive invalid attempts has been reached. It is recommended that an account be locked out for at least thirty minutes after seven successive login attempts.
7-22 Invalid access attempts account disabled (high security)
Policy: In an organization with high security requirements, whenever a specified number of successive invalid login attempts to a particular account has been made, the account should be disabled until reset by the group responsible for providing account support.
Explanation/Notes: All company workstations and servers must be set to limit the number of successive invalid attempts to sign in. This policy is a necessary control to prevent password guessing by trial and error, dictionary attacks, or brute force attempts to gain unauthorized access.
The system administrator must configure the security settings to disable the account after five invalid login attempts. Following such an attack, the account holder will need to call technical support or the group responsible for account support to enable the account. Prior to resetting the account, the department responsible must positively identify the account holder, following the Verification and Authorization Procedures.
7-23 Periodic change of privileged account passwords
Policy: All privileged account holders shall be required to change their passwords at least every thirty days.
Explanation/Notes: Depending on operating system limitations, the systems administrator must enforce this policy by configuration of security parameters in system software.
7-24 Periodic change of user passwords
Policy: All account holders must change their passwords at least every sixty days.
Explanation/Notes: With operating systems that provide this feature, the systems administrator must enforce this policy by configuration of security parameters in the software.
7-25 New account password set up
Policy: New computer accounts must be established with an initial password that is preexpired, requiring the account holder to select a new password upon initial use.
Explanation/Notes: This requirement ensures that only the account holder will have knowledge of his or her password.
7-26 Boot-up passwords
Policy: All computer systems must be configured to require a boot-up password.
Explanation/Notes: Computers must be configured so that when the computer is turned on, a password is required before the operating system will boot. This prevents any unauthorized person from turning on and using another person’s computer. This policy applies to all computers on company premises.
7-27 Password