|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Accounts which are not used over a prolonged period of time should be blocked and subsequently deleted. Under Unix, the pertinent entries in/etc/passwd, /etc/group and the home directory of the user should be deleted. It should also be ensured that further user entries in files such as /etc/hosts, shadows etc. are deleted. Before this action, the data of a home directory should be backed up. The user concerned should be informed of the blocking and, in any case, of the deletion of an account. When deleting an account, care must also be taken to locate the files of a user which are not contained in his home directory. Such files must be deleted or assigned to other users. Also, care must be taken to cancel processes in progress and jobs to be processed, e.g. under Unix in crontab.
Similarly, terminals not used for a prolonged period of time should be blocked and subsequently removed.
Under Unix, system-installed log-ins (e.g. sys, bin, adm, uucp, nuucp, daemon and lp) which are not required must be blocked by entering /etc/passwd "*" e.g. LOCKED in the pertinent password field in the file.
If a (to be newly installed) user needs his account only for a limited period, it should be established for a limited duration.
It can prove expedient to establish accounts initially for a limited period and extend their duration at regular intervals (e.g. annually) as required.
If absence of a LAN user is foreseeable (vacation, illness, temporary assignment, ...), his account in the network server should be blocked for that period so that working with his user ID will be precluded during that time. Every user should inform the network administrator of any prolonged absence.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |