Password Control

One of the most tedious day-to-day tasks for Active Directory administrators in medium to large organizations is the management of user accounts and their respective information, things such as resetting user passwords, clearing account lockouts, updating of phone numbers and additional information. Guidelines to control password:

Passwords shall be changed on a regular basis (at least once every 90 days). Passwords which are obvious, such as nicknames and dates of birth, should not be allowable. Passwords should never be shared with another user. Employees are formally notified as to their role in protecting the security of the user ID. and password. Counter accounts, for view only, are an exception to this rule. Passwords shall have a minimum length of eight characters. When possible, passwords should contain upper and lower case letters, numbers and special characters Passwords stored on a computer should be encrypted in storage. System software should enforce the changing of passwords and the minimum length and format. The non-printing, password-suppression feature should be used on all terminals to prevent the display of a user ID or password at log-on. System software should disable the user identification code if more than three consecutive invalid passwords are given. System software should maintain a history of at least two previous passwords and prevent their reuse. Procedures for forgotten passwords should require that the user be personally identified by Support Service Audit trail

Audit trail is a sequence of steps supported by proof documenting the real processing of a transaction flow through an organization, a process or a system. An Audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. Audit records typically result from activities such as transactions or communications by individual people, systems, accounts or other entities. Webopedia defines an audit trail as "a record showing who has accessed a computer system and what operations he or she has performed during a given period of time." In telecommunication, the term means a record of both completed and attempted accesses and

service, or data forming a logical path linking a sequence of events, used to trace the transactions that have affected the contents of a record. In information or communications security, information audit means a chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event. In nursing research, it refers to the act of maintaining a running log or journal of decisions relating to a research project, thus making clear the steps taken and changes made to the original protocol. In accounting, it refers to documentation of detailed transactions supporting summary ledger entries. This documentation may be on paper or electronic records. In online proofing, it pertains to the version history of a piece of artwork, design, photograph, video, or web design proof during the lifecycle of a project. The process that creates audit trail should always run in a privileged mode, so it could access and supervise all actions from all users, and a normal user could not stop/change it. Furthermore, for the same reason, trail file or database table with a trail should not be accessible to normal users. The software can operate with the closed-looped controls, or as a 'closed system,' as required by many companies when using an Audit Trail system http://www.scribd.com/doc/57660818/It-Workshop-Lab-Manual