Authentication and access control are two aspects of security in which administrators and users must participate equally for any level of effectiveness to exist. Security policies need to present the regulations and requirements clearly and should help employees understand the seriousness of compliance. Authentication policies establish the best practices and exact implementations used to provide access to desktop systems, servers, and local network resources, and from remote sites. There are well-known methods to provide authentication and several guidelines that create a more highly secure environment. The authentication issues addressed by the security policy are important to most other areas covered within the policy. Access control is related to authentication and is often used simultaneously because the authentication of a user instantiates group membership and provides access to resources.

Not surprisingly, authentication security involves the implementation and use of various forms of authentication. Commonly used means are passwords, Personal Identification Numbers (PINs), single-use passwords, public-key encryption, proximity cards, smart cards, other code-generation tokens, and biometric agents. The most commonly used authentication method is the username/password combination. In comparison to other authentication methods, this is also the most easily compromised—theft of passwords comes in many different forms, often due to the individual's choice of password. People tend to gravitate towards easily remembered words or phrases when selecting passwords, such as names of family members, pets, hobbies, or other interests. Unfortunately, attackers often easily guess these passwords. In the quest to balance ease of use with high security, authentication security policies help users create stronger passwords that might not be so easily discerned. The policies also provide guidelines by which users can increase the security of their daily work. The enforcement of these guidelines often occurs as a feature of the operating system or programs doing the authentication.

Authentication security policy also differentiates between where and how authentication methods are used. Security requirements for access to different systems, networks, or facilities often mandate the need for each user to maintain several authentication methods. This is especially true for computer and network administrators. Users are not the only group governed by authentication policies. Administrators need to be even more concerned with authentication security because they have and control access to highly privileged accounts, systems, and resources. There are several guidelines for the handling and use of passwords, also. These guidelines help to keep users continually thinking of security in everything they do.

Company Z's Authentication Security Policy for users and administrators includes these guidelines:

· On systems where credentials are the username/password pair, passwords should meet the following criteria:

o Password should be at least eight characters.

o They should be a combination of letters, numbers, and extended or special characters.

o The company will maintain a history of a user's last five passwords to prevent repetition.

o Passwords should be sufficiently different from any password in the history to prevent patterns of easily obtained passwords.

o Common dictionary words are not allowed.

o Passwords will expire every 12 weeks, requiring the user to create a new one.

o Passwords should be chosen carefully by avoiding family or pet names, personal interests, or other information that can be linked and easily identified.

· Administrators must abide by the criteria set forth for users, with the addition that their passwords will expire more frequently, at six weeks.

· Passwords for privileged accounts will change every four weeks to provide higher safety because these accounts are shared amongst several administrators.

· Remote access will be granted using single-use passwords and code-generating security tokens to prevent theft of user credentials.

· All user accounts will have a password. Any user account without a password will be disabled or have a random password generated for it.

· Newly created accounts will have randomly generated passwords that expire upon first login, requiring the user to set a new password.

· Passwords should never be written down or stored on a recoverable medium such as paper, sticky notes, or white-boards.

· Users should never tell anyone their passwords.

· Administrators will never ask users for their passwords. In the event that someone does ask for the password, please report it immediately to IT and the security group.

· When automating tasks that require authentication, avoid storing passwords clearly in data files. If possible, encrypt or hash the password prior to storing it, in order to prevent the theft of the passwords.

· When using smart cards, proximity cards, or other hardware token-based authentication methods, keep the device on your person at all times, and do not let others borrow it.

· When using public-key encryption methods for authentication, private key information should be protected via file access restrictions or storage on external devices such as smart cards.

· When using encryption, private and secret keys can be escrowed by the administration to protect the data from loss and to ensure that access is attainable when required.

· All authentications, whether successful or failures, are logged by the system being accessed.

· Systems should be configured to allow three failed login attempts before account lock-out occurs.

· In the event of login failure and account lock-out, internal accounts should be configured to allow logins again after 30 minutes. The use of permanent lock-outs are also supported by many operating systems. These require an administrator to intervene and reopen the account. A permanent lock-out can result in a denial of service condition if an attacker attacks multiple accounts.

· Remote access accounts should be disabled after three failed login attempts, requiring administrative intervention for the reuse of the account.

· Administrators should implement login notices that are displayed prior to login prompts. These notices should warn unauthorized users that their actions are monitored and attempts to enter the system are prohibited. Legal ramifications might result from continued use by unauthorized personnel.

· In the event of lost or stolen passwords and authentication devices, IT should be notified immediately in order to disable access for that account and to begin the creation of new access credentials.

· Administrators should confirm the identity of users before issuing new passwords. This can be done in person with the presentation of a badge or photo ID, the use of a special recovery password, a personal identification number, social security number, or other method that is normally known only by the user and administrator.

As you can see, the use of authentication is serious business. Users and administrators need to be made aware of the negative effects of authentication misuse. To summarize, the important components of authentication are

· Teaching users and administrators to use authentication methods securely through strong password creation, as well as to keep passwords secure.

· Authentication logging and monitoring.

· Different authentication methods should be defined and used for different applications to provide the highest level of security, instead of standardizing on a single authentication method. For example, remote access often merits a stronger authentication mechanism than internal server access does.

· The importance of strict authentication security policies, such as password expiration and selection criteria, to make attack and compromise difficult.

Access control is the next related component to authentication. Access control exists at several levels—network access, data file access, and resource access. Network access is determined by protocols, port numbers, source and destination systems, and networks. Network access control is most likely maintained by the firewall. Data file and system resource access control is accomplished via operating system functionality, such as file permissions linked to user and group memberships. An access control security policy presents the user with a set of best practices for utilizing this functionality. Consider Company Z's Access Control Policy:

· Network access control occurs via the firewall, which is configured to allow Internet access for employees. If a required service is blocked by the firewall, contact the IT or network administration group to discuss possible solutions.

· Employees are granted access to global company computing resources via their desktop login procedure.

· Common file shares are automatically initialized at login time. The user has rights to add to common areas, but not to remove files or folders unless the user created them.

· UNIX user accounts should be created with membership in the Global users groups or equivalent (operating system dependent).

· UNIX user accounts should have their own private group as the default group member ship, which allows them to set permissions safely on their files and directories.

· Windows accounts should be members of the Domain Users group.

· Home directories should be created to allow access only by the owner of the directory.

· The UNIX umask setting allows users to specify a default permission level for newly created files. This should be set to create files that disallow everyone else to modify or execute them. (The default umask is generally 022, which creates files with read and write permissions for the owner and read permissions for the group and world.)

· The UNIX SetUID/GID settings should be avoided unless absolutely necessary.

· The permissions of user resource settings including .login, .profile, and .rhosts should be secured against unauthorized modification.

· Users should contact the IT department if any uncertainty exists when setting access control methods.

· If unauthorized access to files, folders ,or other data is suspected, notify the IT department for an investigation.

· Automatic scans will execute on a regular basis to search for unsafe access control settings on user files, folders, and applications.

· The Windows NT and 2000 operating systems provide access to everybody (via the special "Everybody" group) by default. This group access should be removed and replaced with the Domain Users group, if access to all employees is to be granted.

Note

The Windows NT and 2000 operating systems support a slightly different access control mechanism than UNIX. The Windows mechanism has the standard read, write and execute permissions like UNIX, but also has several special attributes such as full-access and modify. The full-access permission allows the individual to modify all of the permissions, including change the permissions for others. This is often not the desired effect, so in cases where the user requires only read, write, and execute access, full-access should not be enabled. The modify attribute allows a user to make changes to a file already in existence, but not to create new files or folders.

Access control policies can present useful technical information to the users and promote security awareness. Noting the technical details of access control mechanisms for the operating systems in use is beneficial because the casual user is often unaware of their existence or their use. The identification of contacts and procedures for access control issues is used to help the user learn and utilize secure settings