Question

1. Introduction - Please briefly explain what is meant by Access control/Authentication/Authorization, the role this plays in securing a network and the importance of having policies about Account naming conventions and password management.
2. Account naming convention - What are the suggested format(s) for user accounts to be named? i.e. johndoe, jdoe, john.doe, user1, etc.... Be sure that your account naming convention provides a way to create a unique account name for folks with the same names.  
3. Password length and complexity - How long should passwords be? Must they contain any special case, characters, etc?, Will you require your users to change their passwords? If so how often will you require them to change them, can they reuse old passwords?
4. Server administrative access - What is your policy regarding people gaining full access to server resources? Will you require server administrators to "do" anything with the default Windows and Linux server administrative accounts and passwords? Is there a policy for leaving these accounts active? What about password management?

Answer 1

Hi, I would love to answer you with this question. Hope you will like an answer and get some clear idea related to the same. So not wasting much time lets get started.

The question is long and complex so as to channelize I will be answering the question by making parts as follows:

• Access control/Authentication/Authorization and its importance in securing the network
• Account naming convention
• Password length and complexity
• Server administrative access - What is your policy regarding people gaining full access to server resources?

Ans.1 The access control is the measure that is been initiated by the network security experts in the network so as to restrict the access to the users and provide the limited access as been required. While moving forward the authentication is the method for checking the legitimacy of the user that whether the user is original or the faker user trying, this is done by using password policies and the multifactor authentications. Now heading to the authorization, Authorization is the process to find out the user privileges that any user needs the maximum to complete its task like an employee will not be authorized to get access to the server or the admin computer, so this is a part of the authorization.

These all the methods are been used to secure the network by restricting and checking the legitimacy of the user of the services as the PC's are password protected with some limited access resulting in the security of the network.

Ans.2 Account naming convention is the method to keep the unique username so as they could not be easily guessed and tried for the brute force. The two things which you can keep in mind are never use default username and never directly names of yours or the email domain and related things. These can be complexed with the mixing with DOB or the ID card details and something like these should be mixed with the name or the email. eg. Devsin3008 this is for the Dev Sinha whose DOB is 30/08/1998. So these types can be mixed and can be made more complex using other methods of ID and DOB.

Ans.3 Password length and complexity, me as a penetration tester always test for this in the auditing or the pentest this is the most targeted place for the brute force attacks and the passwords must be complex enough so that this might not be penetrated so easily. The basic factors which can keep the password complexity strong are :

• 8-12 character minimum password length
• Must use one Upper case and one Lower case letter minimum
• Must use a minimum one special character

Some other aspects asked in the question may be answered as the password must be changed so often so as resulting in the security and the old 3 passwords cannot be resused as a password. And while resetting the password the old password must be asked and verified for the legitimacy

Ans.4 Server administrative access, The access to the server administration must be restricted to the server admin only. The policy must be there for no employees full access to the server administration.

No the server administrators should not be allowed to keep the default credentials anywhere is in the server whether the authentication is there or not default credentials must be removed, whether in Linux or windows. Dealing with the password management the password complexity must be high and the password information must be restricted to the server admin only not event the owner till required hardly. This is the way the network can be provided the secure environment.

I hope you got your answers and a clear idea related to the same .

Please like an answer and do comment for any queries in the answer.

Thanks and Happy to help :)

HAPPY LEARNING