To secure your NT-UNIX network, you need to effectively manage the logon process, which starts when users create passwords. In most organizations, the logon name is user friendly and fairly easy to discern (e.g., msmith for Mary Smith). This practice leaves the password as the key to securing access. You must give users guidelines on how to create passwords that hackers won't easily discern. For example, tell users not to create passwords that use their name or use pop culture words (e.g., rollingstone or xfiles). Instead, users need to create passwords consisting of alphanumerics that would make little sense to a third party. Because the person bent on viewing unauthorized data or destroying files is as likely to be an individual down the hall as a wizard in a remote location, you need to remind users that they must not write or verbalize their passwords. Also, tell users that they need to be aware of those who can observe them typing their password; replicating keystrokes is a simple task. Hackers maintain a dictionary of words and run an automated process in which the words in their dictionary are tried against a user's account. In NT and many UNIX variants, you can set a lockout option that will freeze a user's account if the person submitting the password surpasses the specified number of logon attempts. In UNIX variants with lockout options, the systems administrator can generally set up the frequency as part of the user management or add user functions. To account for users accidentally typing in the wrong password, we recommend that you set the lockout option at three or four attempts. The Administrator account in NT doesn't have a lockout option. Microsoft Windows NT Server 4.0 Resource Kit has a lockout utility, PASSPROP/ADMINLOCKOUT. An alternative approach is to change the administrator's logon name to a non-obvious descriptor. Hackers must then identify both the administrator's logon name and password to get into the system. To further frustrate hackers, you can set up a bogus account in User Manager for Domains without rights or privileges under the administrator's old name.
|
|
|
|
|
|
|
|