Print this chapterPrint this chapter

Access Control Fundamentals

5. Access Control Practices

  • Deny access to systems by undefined users or anonymous accounts.
  • Limit and monitor the usage of administrator and other powerful accounts.
  • Suspend or delay access capability after a specific number of unsuccessful logon attempts.
  • Remove obsolete user accounts as soon as the user leaves the company.
  • Suspend inactive accounts after 30 to 60 days.
  • Enforce strict access criteria.
  • Enforce the need-to-know and least-privilege practices.
  • Disable unneeded system features, services, and ports.
  • Replace default password settings on accounts.
  • Limit and monitor global access rules.
  • Ensure that logon IDs are nondescriptive of job function.
  • Remove redundant resource rules from accounts and group memberships.
  • Remove redundant user IDs, accounts, and role-based accounts from resource access lists.
  • Enforce password rotation.
  • Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission).
  • Audit system and user events and actions and review reports periodically.
  • Protect audit logs.