Introduction to NonStop Operations Management
Security Management
Introduction to NonStop Operations Management–125507
9-17
Setting Unexpected Initial Passwords
Setting Unexpected Initial Passwords
Don’t derive initial passwords from the user name or user ID, since an inside intruder
might log on to a user ID that has been created but not yet assigned.
Enforcing Routine Password Changes
You can use the Safeguard product to force a password to expire after a specified time.
This Safeguard feature motivates people to change their passwords before the expiration
date. Once a password is changed, a new expiration date is automatically set, and the
new password remains valid until that date. Be careful not to require changes too
frequently. If users must change their passwords too often, they:
•
Might set up a mechanism to change the password through a predictable series
(pswrd1, pswrd2, ...) or even to change the password to itself. (Proper Safeguard
settings can be used to discourage this behavior.)
•
Might change a password correctly but write it down in an obvious place to
remember it.
To protect passwords for special user IDs, you might want to require more frequent
password changes for special IDs than for general user IDs.
Protecting Passwords
You should provide guidelines for protecting passwords. All users should:
•
Never write passwords down
•
Use blind password entry (password entry that does not show the password on the
screen as you enter it)
•
Not store passwords in a system file
•
While logging on, be careful that no one is watching while they are entering the
password
Dial-Up Access and Security
Give dial-up access only to users who really need it and who will take extra care in
protecting your organization’s resources. Your policy and procedures regarding dial-up
lines should include special criteria for screening requests for dial-up access.
To protect your dial-up facility, consider:
•
Using authorization lists
•
Using additional external passwords
•
Using callback systems
•
Using automatic terminal authentication
•
Periodically changing passwords and telephone numbers
•
Providing precautions for when a dial-up line is dropped