[ Pobierz całość w formacie PDF ]
.In the least restrictive case, the people who are authorized to grant accesswould be able to go into the system directly and create an account by hand or through vendorsupplied mechanisms.Generally, these mechanisms place a great deal of trust in the personrunning them, and the person running them usually has a large amount of privileges.If this isthe choice you make, you need to select someone who is trustworthy to perform this task.Theopposite solution is to have an integrated system that the people authorized to create accountsrun, or the users themselves may actually run.Be aware that even in the restrictive case ofhaving a mechanized facility to create accounts does not remove the potential for abuse.Youshould have specific procedures developed for the creation of accounts.These proceduresshould be well documented to prevent confusion and reduce mistakes.A security vulnerabilityin the account authorization process is not only possible through abuse, but is also possible if amistake is made.Having clear and well documented procedure will help ensure that thesemistakes won t happen.You should also be sure that the people who will be following theseprocedures understand them. 182 Part I: Managing Internet SecurityThe granting of access to users is one of the most vulnerable of times.You should ensure thatthe selection of an initial password cannot be easily guessed.You should avoid using an initialpassword that is a function of the username, is part of the user s name, or some algorithmicallygenerated password that can easily be guessed.In addition, you should not permit users tocontinue to use the initial password indefinitely.If possible, you should force users to changethe initial password the first time they login.Consider that some users may never even login,leaving their password vulnerable indefinitely.Some sites choose to disable accounts that havenever been accessed, and force the owner to reauthorize opening the account.2.3.4 Who May Have System Administration Privileges?One security decision that needs to be made very carefully is who will have access to systemadministrator privileges and passwords for your services.Obviously, the system administratorswill need access, but inevitably other users will request special privileges.The policy shouldaddress this issue.Restricting privileges is one way to deal with threats from local users.Thechallenge is to balance restricting access to these to protect security with giving people whoneed these privileges access so that they can perform their tasks.One approach that can betaken is to grant only enough privilege to accomplish the necessary tasks.Additionally, people holding special privileges should be accountable to some authority andthis should also be identified within the site s security policy.If the people you grant privilegesto are not accountable, you run the risk of losing control of your system and will have diffi-culty managing a compromise in security.2.3.5 What Are The Users Rights and Responsibilities?The policy should incorporate a statement on the users rights and responsibilities concerningthe use of the site s computer systems and services.It should be clearly stated that users areresponsible for understanding and respecting the security rules of the systems they are using.The following is a list of topics that you may wish to cover in this area of the policy:What guidelines you have regarding resource consumption (whether users are restricted,and if so, what the restrictions are).What might constitute abuse in terms of system performance.Whether users are permitted to share accounts or let others use their accounts.How  secret users should keep their passwords.How often users should change their passwords and any other password restrictions orrequirements.Whether you provide backups or expect the users to create their own. RFC 1244 The Site Security Handbook 183Disclosure of information that may be proprietary.Statement on Electronic Mail Privacy (Electronic Communications Privacy Act).Your policy concerning controversial mail or postings to mailing lists or discussiongroups (obscenity, harassment, etc.).Policy on electronic communications: mail forging, etc.The Electronic Mail Association sponsored a white paper on the privacy of electronic mail incompanies [4].Their basic recommendation is that every site should have a policy on theprotection of employee privacy.They also recommend that organizations establish privacypolicies that deal with all media, rather than singling out electronic mail.They suggest five criteria for evaluating any policy:1.Does the policy comply with law and with duties to third parties?2.Does the policy unnecessarily compromise the interest of the employee, the employer orthird parties?3.Is the policy workable as a practical matter and likely to be enforced?4.Does the policy deal appropriately with all different forms of communications and recordkeeping with the office?5.Has the policy been announced in advance and agreed to by all concerned?2.3.6 What Are The Rights and Responsibilities of SystemAdministrators Versus Rights of UsersThere is a tradeoff between a user s right to absolute privacy and the need of system adminis-trators to gather sufficient information to diagnose problems [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • czarkowski.pev.pl

    •