IT Account and Access Procedure

Transcription

1 IT Accunt and Access Prcedure

2 Revisin Histry Versin Date Editr Nature f Change 1.0 3/23/06 Kelly Matt Initial Release

3 Table f Cntents 1.0 Overview Purpse Scpe Passwrds User Requirements Technical Requirements Prcedural Requirements Bad Passwrd Practices: Passwrd Self Service Accunt Management Accunt Taxnmy Granting Access Administrative Accunts: Administrative Accunt Passwrd Requirements: Tw-factr authenticatin fr Administrative Accunt:. Errr! Bkmark nt defined. 5.4 Temprary Privilege Accunts: Reevaluatin f System Access Revking Access Enfrcement Related Plicies, Prcedures, and Cdes f Cnduct Appendix A: Active Directry Passwrd Cnfiguratin... 5 Appendix B: IT Accunt and Access Prcedure Exceptin... 6

4 1.0 Overview All individuals wh access the University f Nrthern Clrad s cmputing infrastructure have a respnsibility t safeguard these systems and data. User accunts and passwrds are tw mechanisms thrugh which this is accmplished. This prcedure establishes the rules by which user accunts and passwrds shuld be managed and used n any cmputing resurce belnging t the University. 2.0 Purpse The ability t access infrmatin and/r applicatin systems within UNC s cmputing envirnment must be based n clearly defined business requirements. This dcument aids in establishing clear definitin fr accunt and passwrd management. 3.0 Scpe This Prcedure applies t emplyees, cntractrs, cnsultants, temprary emplyees, and ther wrkers at UNC including all persnnel affiliated with third parties. This Regulatin applies t all equipment that is wned r leased by UNC. 4.0 Passwrds Passwrds are an imprtant frm f prtectin used t ensure that the University s infrmatin is stred and prcessed in a secure manner. Due t this, passwrds must be defined and implemented in accrdance with a minimum set f standards. This sectin establishes the rules by which passwrd shuld be assigned and used n any cmputing resurce belnging t the University 4.1 User Requirements Users are respnsible fr all activity perfrmed with their individual user-id. User-IDs may nt be utilized by anyne the individuals t whm they have been issued. Users must nt allw thers t perfrm any activity with their user-ids. Similarly, users must nt perfrm any activity with IDs belnging t ther users. Users must chse their wn passwrds. They shuld nt be easily guessed but easy enugh fr the user t remember withut writing it dwn. Users are respnsible fr maintaining the security f their passwrds. Passwrds shuld NEVER be shared, written dwn, r stred electrnically. If a user must write a passwrd dwn, it shuld never be written n smething that can be assciated with the user (i.e. business cards). If passwrds need t be stred electrnically an encryptin schema that is apprved by the Office f Infrmatin Security must be used. (See Appendix B IT Accunt and Access Prcedure Exceptin) The sharing f a single user ID r assciated passwrd amng several users is prhibited Prir t receiving an accunt, all users must sign a statement acknwledging that they have received and reviewed the university s IT acceptable user regulatin. Access t varius types f infrmatin may be blcked. Individuals will be required t btain apprpriate apprval prir t being allwed access. Individuals accessing university data withut a valid business need may be subject t disciplinary actin. If a user believes their passwrd has been cmprmised, the user shuld cntact the UNC Technical Supprt Center immediately fr assistance. 4.2 Technical Requirements Persnal cmputers shall have a screen saver passwrd set t autmatically engage after 10 minutes f inactivity. Where technically feasible all systems will at a minimum prmpt fr user ID and emply passwrds fr accunt access. All accunts must be disabled after 5 unsuccessful lgn attempts. Where technically feasible passwrd cmplexity must be prgrammatically enfrced. Passwrds must be a minimum f 9 characters lng fr all user accunts. Page 1 9/26/2006

5 Passwrds shuld nt be displayed in plain text n the mnitr when entered. Where technically feasible single-sign-n technlgy shuld be used. Passwrds must cntain characters frm at least three f the fllwing fur classes: Upper case letters Lwer case letters Numeric (0 t9), this shuld nt be the first r last character One special character, this shuld nt be the first r last character Where technically feasible a passwrd histry f 14 passwrds must be retained t limit passwrd reuse. Where technically feasible the minimum passwrd age shall be 1 day. User accunts must change passwrds every 90 days. Users must be able t change their wn passwrd independent f any external party. 4.3 Prcedural Requirements Administrative accunts must fllw the prcedures identified in sectin TSC persnnel must verify the identity f a user prir t resetting the passwrd. Identity verificatin may be dne by using vic call back r by sme ther apprved frm f identity verificatin. A system administratr must manually unlck accunts. New accunts r accunts fr which a passwrd has been reset must be set t expire at the next lgin attempt. Passwrds must nt be embedded in scripts r applicatin cde and will nt be used in URL passing. Fr internet applicatin, separate the delivery f user ID and passwrds is required. All new r reset passwrds must meet cmplexity rules and be randmly generated. N cmmn r default passwrds will be used. N default system and applicatin passwrds are allwed. Passwrds exempted frm regular changing must have an apprved exceptin. Exceptins must be apprved by the Office f Infrmatin Security and the apprpriate directr fr the respective IT unit. The passwrd will be a minimum f 12 characters (r the maximum permitted by technlgy, whichever is less) in length. Upn renewal f the exceptin, the passwrd must be changed. User accunts with nn-expiring passwrds are prhibited. 4.4 Bad Passwrd Practices: The fllwing are sme examples f practices and behavirs that can result in weak r bad passwrds. Under n circumstances shuld individuals use passwrds that utilize the fllwing: Passwrds that match the accunt ID Passwrds that cntain the user accunt wner s name, first middle r last. Passwrds that cntain the users bear ID r Scial Security number Any vendr r prduct name Any cnsecutive r repeating keybard characters e.g. 123, jkl Individuals are strngly urged t nt use the fllwing when creating there passwrds: The name f a fd, celebrity, sprt r sprts team IT Accunt and Access Prcedure Wrds that are fund in cmmn dictinaries English r therwise Using sequential passwrds Passwrds that cntain family member r pet names Page 2 9/26/2006

6 4.5 Passwrd Self Service Passwrd Self Service is a pwerful and very useful tl. This technlgy can reduce supprt csts and significantly reduce supprt calls. The benefits frm these tls are significant. Hwever, due t the very pwerful nature f these tls precautins must be in place t guard against misuse and abuse. The fllwing are base level guidelines that a passwrd self service slutin must meet. Servers and systems used t prvide passwrd reset activities must be sufficiently secured and have limited well defined access rights. All passwrd reset related activities must be handled via an encrypted channel At n pint in the passwrd reset prcess shuld any data used t reset passwrds be passed in clear text. Infrmatin gathered and used t perfrm passwrd resets must be sufficiently unique t the given individual. Infrmatin that a large number f individuals may have in cmmn shuld nt be used t reset user passwrds. Infrmatin gathered and used t perfrm passwrd resets must nt be easily guessed r easily btained. Examples include but are nt limited t the fllwing: Mthers maiden name Data f birth Place f birth Favrite Clr 5.0 Accunt Management User accunts are the primary frm f digital identity and access t UNC cmputing resurces. As such, it is vitally imprtant that these digital identities be managed in a cnsistent fashin. The fllwing utlines accunt management practices fr the University f Nrthern Clrad. 5.1 Accunt Taxnmy The fllwing naming standards will be used fr all accunts created within the universities cmputing envirnment. User accunts: first name.last name Administratr accunts: last.admin Service accunts: unique descriptin.service (In additin t a standard descriptins a primary cntact must be defined and dcumented in a descriptin r cmments field fr the accunt. The primary cntact shuld be defined by psitin as well as name.) 5.2 Granting Access Netwrk access must be granted based n business requirements. Privileges will be granted nly when there is a legitimate need. User accunts require prper authrizatin prir t being established. T maintain individual accuntability and system integrity, user IDs must be unique within and acrss cmputing platfrms. Each cmputer and cmmunicatin system user-id must uniquely identify nly ne user. Shared r grup user-ids are permitted nly when the use f a unique user-id is nt feasible. Exceptins must be dcumented and apprved by management and the Office f Infrmatin Security. 5.3 Administrative Accunts: Each request fr administrative rights will be made in writing and will include the fllwing: Justificatin fr the need fr the accunt Line management apprval Page 3 9/26/2006

7 Infrmatin Security Office apprval IT Management apprval Administrative Accunt Passwrd Requirements: Accunts that have elevated privileges must adhere t the fllwing passwrd requirements: All administrative, technical supprt accunts, and accunts deemed t have privileged access must change there passwrd every 45 days. These accunts, where technically feasible, must make use f a 14 character passwrd. Passwrd, where technically feasible, must cnsist f uppercase, lwercase, numbers, special characters, and extended ASCII characters. 5.4 Temprary Privilege Accunts: Temprary privilege accunts will be re-evaluated every 6 mnths. Temprary privilege accunts will nly be issued at the discretin f the UNC Infrmatin Security Office with the apprval f IT management. Duratin f such accunts will be negtiated based upn the business need and nly when there is n viable alternative slutin. These accunts will be limited in functin, allwed nly t perfrm the required task/s. Prjects: When privileges are granted fr a particular prject, these privileges will be revked at the cmpletin f the prject. 5.5 Reevaluatin f System Access System privileges shuld be reviewed n a peridic basic. Accunt and privileges that n lnger apprpriate must be prmptly revked. All user accunts that have been inactive fr 60 cnsecutive days will be reviewed, disabled, and deleted frm the system as necessary. New accunts nt activated within 14 days must be disabled. 5.6 Revking Access The fllwing guidelines specify the requirements fr separatin f emplyees and cntractrs. User accunt shall be immediately disabled upn separatin frm the university. As part f the separatin Human Resurces will submit a request t the TSC t have the accunt disabled. Reactivating an accunt that has been disabled will require the user t fllw the initial request prcess. 6.0 Enfrcement Thse fund t have vilated this regulatin may be subject t suspensin f cmputer access privileges. 7.0 Related Plicies, Prcedures, and Cdes f Cnduct. All applicable laws and University plicies, regulatins and prcedures bind UNC students and emplyees. UNC Acceptable Use Regulatin: Page 4 9/26/2006

8 Appendix A: Active Directry Passwrd Cnfiguratin Active Directry Passwrd Plicy Setting: Plicy Enfrce passwrd histry Maximum passwrd age Minimum passwrd age Minimum passwrd length Passwrd must meet cmplexity requirements Stre passwrds using reversible encryptin Setting 14 passwrds remembered 90 days 1day 9 characters Enable Disabled Accunt Lckut Settings: Plicy Accunt lckut duratin Accunt lckut threshld Reset accunt lckut cunter after Setting lckut until unlcked by admin 5 invalid lgn attempts 30 minutes Page 5 9/26/2006

9 Appendix B: IT Accunt and Access Prcedure Exceptin IT Accunt and Access Prcedures exceptin can nly be granted after a security review and with applicable functinal area directr apprval. Exceptins will nly be granted in cases where there is a well justified need and business case fr nt adhering t IT Security Prcedures. Mitigating cntrls will be required in any case were an exceptin t this prcedure is granted. These cntrls must be apprved by the Office f Infrmatin Security and dcumented in this frm. Exceptins are granted fr a maximum f 12 mnths but can be granted fr intervals shrter then 12 mnths. Upn expiratin f an exceptin a review will be cnducted with the requester and the validity f the exceptin examined. If the exceptin is still deemed necessary and prudent the requester must submit a new exceptin frm fr the new time perid. Passwrds fr the accunt must be changed at the expiratin f any given exceptin. Requester: Psitin: Department: Accunt Name: Technical Reasn fr Exceptin: Business Justificatin: Security Requirements and Mitigating Cntrls: Security Apprval Print Name: Sign: Date: Unit Directr Apprval: Print Name: Sign: Date: Exceptin Terminatin (Max 12 Mnths): Page 6 9/26/2006