e-governance Password Management Guidelines Draft 0.1

Transcription

1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

2 Document Control S. No. Type of Information Document Data 1. Document Title egov Password Management Guidelines 2. Document Code GL_eGov_AM 3. Date of Release 4. Next Review Date 5. Document Owner DietY 6. Document Author(s) 7. Document Reviewer 8. Document Reference PR_eGov_UAMP Document Approval S. No. Document Approver Approver Designation Approver ID Document Change History Version No. Revision Date Nature of Change Date of Approval Document Classification: Internal Page 2 of 10

3 Table of Contents 1. INTRODUCTION PURPOSE SCOPE PASSWORD MANAGEMENT & CONSTRUCTION ACTIVE DIRECTORY ENVIRONMENT UNIX SYSTEMS PASSWORD ALLOCATION PROCESS PASSWORD RESET PROCESS PASSWORD MANAGEMENT GUIDELINES E-SAFE RECOMMENDATION ROLES AND RESPONSIBILITY Document Classification: Internal Page 3 of 10

4 1. INTRODUCTION Any compromise to the confidentiality, integrity or availability of e-gov networks, systems or information could impair the ability of e-gov Service delivery. Adverse public exposure brought on by a compromise would damage e-gov s credibility across the country. Ensuring that e-gov departments and public data are kept secure is a vital element in e-gov s approach to security. This document establishes the e-gov Password Management Guidelines to implement password controls i.e. e-gov Password Policy (refer in e-gov Security Policy (esp) ). The document is the outline of requirements for creating and protecting passwords within the e-gov service delivery environment across states, ministries or departments. Asset owners i.e. Department or application owners must perform a risk assessment of assets (application or data) held in the specific system to arrive at the criticality of asset/s.( Refer the e-governance Security Standards Framework (esafe) section GD300 Risk Assesment: Guidelines for Information Security Risk Assessment and Management in an e-governance project). Accordingly the advanced security features can be implemented as control improvements ( refer e-safe ( GD 210): Guidelines for implementing chosen security controls). The last section of this document deals with control recommendations and improvements as per e-safe ( e-governance Security Assurance Framework) 2. PURPOSE The principal objective of this document is to provide general guidelines for the protection of passwords used by people who have privileged and non-privileged access to multiple servers, systems and applications. Care and maintenance of these passwords is imperative to ensure computer accounts are not improperly accessed and e-gov information is not compromised, and subsequently to mitigate the associated risks. Compliance with these guidelines will help ensure the departments to comply with of e- Gov Password policy requirements. Document Classification: Internal Page 4 of 10

5 3. SCOPE This guideline does not supersede the requirements of the e-gov Password Policy and/or state specific password polices but is designed to augment the policy. The policy is applicable to all assets and information systems deployed in e-gov Service delivery framework. These guidelines will suffice to comply with minimum baseline requirements of esp recommended by esafe standard and best practices. 4. PASSWORD MANAGEMENT & CONSTRUCTION All account passwords should follow the e-gov or applicable Password Policy. Where possible, privileged user accounts should be tied into a centrally managed system such as Active Directory or Novell edirectory and avoid using local system accounts. This provides a mechanism to enforce password policy and account management along with auditing of password change guidelines ACTIVE DIRECTORY ENVIRONMENT When utilizing Active Directory (AD), rights should be managed by roles. These roles should be defined at the highest level (global, enterprise, regional, and local) possible to allow for the simplest management. Password complexity should be enabled in the domain controllers to ensure e-gov password policy is complied with UNIX SYSTEMS Often UNIX hosts are not part of a larger directory structure such as AD but are more likely to be stand-alone devices. These UNIX hosts that are not incorporated into a mature directory structure must meet the same requirements as it pertains to user and password management within the AD infrastructure PASSWORD ALLOCATION PROCESS Document Classification: Internal Page 5 of 10

6 In order to ensure that passwords are communicated only to the relevant user, they should be communicated back to the originator of the request or the person to whom this is assigned Passwords should be communicated securely to the users like use of encrypted s could be done for communicating the passwords to the users All initial passwords should be Forced to Modify on the first usage 4.4. PASSWORD RESET PROCESS Users/ administrators during the course of time may forget their passwords, in which case the same has to be reset. If the password reset is not done in a proper and secure manner, it is possible for unauthorized users to ask for passwords of authorized users to be reset and gain access to systems. Password reset requests should come from appropriate channels to system administrators/ application administrators If the user has forgotten his ID password or is not able to login to his account he/ she should personally raise a password change request as per the formally managed process in place viz. Service Desk. Responsible team should verify the user identity and then forward the password change request to system administrators The designated personnel should confirm the request with the person who has requested the reset. On his satisfaction, the new password should be allocated and confirmed back to the end user only. In the event of suspected compromise of password or disclosure, user shall require to raise a security incident. He/ She should also inform designated team viz. Service Desk immediately. Subsequently the password should be changed and communicated to user. Before changing the password, the the Service Desk should authenticate the user. A log of password resets, wherever possible should be maintained for auditing purposes PASSWORD MANAGEMENT GUIDELINES Following e-gov Password policy controls should be enforced so that all the system accounts are bound to have password of minimum desired quality. Document Classification: Internal Page 6 of 10

7 All users getting access to e-gov systems are authenticated using active directory feature provided by Windows NT/2003/2008. The system should grant access to the domain, provided the user Id and passwords are correct. If any application or data base that are not integrated with active directory services (ADS), it should have provisions of creating unique user Ids and passwords to authenticate users prior accessing the systems Passwords should be encrypted when stored in files or databases. Access to this field of the database should be restricted to only system security administrators Passwords should not be transmitted in clear text form over any kind of network Authentication, authorization and accounting for all critical network devices should be done through centrally controlled server and access for same should be provided to specific security administrators Password complexity requirements should be enforced using domain policies. The complexity requirements should include minimum of following points: Minimum password age should be set for one day Minimum password length should of eight characters Record of last 5 passwords should be maintained in order to prevent its reuse Password should contain a mix of alphabetic and non-alphabetic characters (number, punctuation or special characters) or a mix of at least two types of non-alphabetic characters Policy should be set such that password for all users having normal access as well as privilege users to systems expires in 45 days Policy should be enforced to lock the user account after 5 successive invalid login attempts Account lockout duration and reset account lockout duration should be set for 30 minutes for desktops If administrative privileged account is locked out, then the user should not be able to login until the account is unlocked by the system administrator Document Classification: Internal Page 7 of 10

8 By default, all applications and systems should be configured to not display passwords on the screen while being keyed in Policy should be set to audit user account login/logout, to ensure each user can be held accountable for his/her act Logs for all the activities should be maintained for 90 days. Logs of unsuccessful attempts and suspected successful attempts should be reviewed by designated administrators periodically Default accounts should be disabled and/ or default passwords should be changed immediately by adhering to the base line hardening procedures for the systems and applications Provide proper user awareness trainings to all the users (including the third party vendor employees, contract employees) to ensure password procedures and policies are followed by all the users Force users to change the temporary password given during the account creation at the first log-on 4.6. E-SAFE RECOMMENDATION Besides the aforementioned exhaustive list of controls laid down in e-gov Password Policy, following guidelines should be followed at in application code ( APPLICATION CLASS) and infrastructure ( INFRASTRUCTURE CLASS) as recommended by e-safe as per the criticality of the environment. (Refer Guidelines for Implementation of Security Control ( GD 210): Guidelines for implementing chosen security controls) I. Following list of control improvements are recommended for applications in e- SAFE application class. Application should not allow creation or use of weak passwords by users Maintain a record/history of specified no of previously used passwords to prevent re-use. Define the requirement of the control mechanisms in RFP and/or SRS. Document Classification: Internal Page 8 of 10

9 Conduct formal testing of the implemented control mechanisms. II. Following list of controls are best practices to be followed in e-gov environment recommended in e-safe Infrastructure class. In some of the devices, by default the authentication scheme is not present or default system accounts are without password. Such default system accounts without password shall be disabled. The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. The default passwords of the devices (e.g. network routers, switches, Access point etc.) should be changed during installation and this practice should be integrated with the organizational procedure for installation of the computing and communication devices. The keeper of master passwords should be a trusted employee like Project Manager belonging to e-governance Information Security Working Group ( ISWG), available during emergencies. Any copies of the master passwords must be stored in a very secure location (a sealed envelope or a properly access controlled repository with limited access). The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secured and be changed frequently. Authority to change master passwords should be limited to trusted employees. A password audit record, especially for master passwords, should be maintained separately from the control system. Store password files separately from application system data. III. Following list of control improvements are recommended for applications in e- SAFE application class. The organization should adopt a managed process to verify the identity of the requestor for resetting or reissue of the account password. The system should store the password not in clear text and should eliminate use of weak hash (NTLM hash instead of LANMAN hash or salted MD5) The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. Document Classification: Internal Page 9 of 10

10 For highly sensitive system, the root or administrator password shall be broken into two parts and each part will be available with two different persons to minimize the security risk by person. In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multi-factor authentication using biometric like thumb impression, physical tokens(rsa token), smart card or USB token having digital certificate ROLES AND RESPONSIBILITY Role Responsibility Service desk/helpdesk Ensure proper user identification is done System Administrator/ Application Administrator CISO Generation of passwords Ensuring that users are forced to change the passwords after logging first time Resetting the passwords and communicating the same to the user Ensure appropriate policies are configured to meet the requirements of password management guidelines Ensure proper user awareness trainings are done to educated users on use of password and its management Document Classification: Internal Page 10 of 10