ISSeG logo

 Training and Dissemination web site

 FP6 logo

Integrated Site Security for Grids

 A project co-funded by EU FP6 programme
Home page

Top Recommendations
Top Threats
Security Checklists
Risk assessment

my Role
my Site
my Community
All Recommendations
All Threats
Training
Downloads

Security terms


Contact
ISS & ISSeG

Recommendation
Centrally manage accounts

ID: R41
What: Centrally managing accounts aims to administer and control all User accounts with a single front end. The control front end includes links to user data, as well as all accounts even across hardware platforms and operating systems. For data security, several levels of controlled access via this front end need to be foreseen.
Why:

When you centralize the account management it’s easier to apply policies and procedures. This leads to a consistent control over all accounts of the site and grants an instant overview of all users at the site. It reduces the effort needed to create new user accounts and allows a more controlled process for closing them. Furthermore if an incident arises, for example a stolen user password, rapid reaction will be possible.

General Hints:

  • A knowledgeable person, able to disseminate and show the improvements, is important. A consultation process is usually necessary before a new action gets consent from the different administrators.
  • Ensure the handling of user data conforms with data protection laws as well as any local policies within your organization.
  • Review policies and procedures for account management, including conformance with site and national requirements for data protection.
  • A flexible central management system, which allows delegation of some decisions, is particularly appropriate in environments where groups of users have different requirements. This is common in academic environments.

    		•
    How :

    Method 1: Use a commercial Account Management System (AMS)
    Directory services, such as Microsoft Active Directory, Novell and other LDAP-based systems, provide central account management. The Active Directory structure provides a useful migration path for sites running Microsoft NT domains.

    Hints:

  • Commercially available Account Management systems include useful functionality for account management.
  • It is necessary to coordinate the steps of a migration to the new Account Management System. This avoids, for instance, an account existing in the old and new system at the same time.
  • By upgrading to this technology, the requirements can still be fulfilled, while the necessary infrastructure and licence provisioning can even be reduced.
  • If the site has a decentralised structure additional coordination for the migration process has to be carried out, as each Organisational Unit can decide on the process.
  • Review policies and procedures for account management, including conformance with site and national requirements for data protection.


    • Links:
  • MICROSOFT White Paper http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/nt4/nt4domtoad.mspx
  • MICROSOFT Active Directory http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default.mspx
  • OPEN LDAP http://www.openldap.org/
  • Novell Identity Manager http://www.novell.com/products/identitymanager/productinfo/
  • The DESY-Registry – account management for many backend systems http://indico.cern.ch/contributionDisplay.py?contribId=417&sessionId=6&confId=048

  • Course 2154B: Implementing and Administering Microsoft Windows 2000 Directory Services http://www.microsoft.com/learning/syllabi/en-us/2154bfinal.mspx
  • Course 1561Designing a Microsoft Windows 2000 Directory Services Infrastructure http://www.microsoft.com/learning/syllabi/en-us/1561bfinal.mspx

    Method 2: Use of a central database to manage accounts
    A central database can be created to store the ‘master copy’ of account information. The design of the database has to be carried out carefully and the requirements of the site have to be taken into account.

    Hints:
  • The database should include:
    • Account name, UID for Unix type accounts
    • A link to data identifying the person using the account, e.g. email address
    • Services permitted for this account, e.g. mail, web, Windows, Linux, [...]

  • Useful additional information may include:
    • home directory
    • preferred shell, GID (for UNIX accounts)
    • date of last use

  • On each service, programs should run periodically to compare the actual accounts in use with the list of expected accounts from the central database and then take the appropriate actions to solve any discrepancy, i.e. creating, modifying or deleting accounts.
  • Pulling data from the central database to the local configuration is usually preferred as it keeps the control on the master system.
  • Requiring a formal association between a person and your organization, including start and end dates, allows automation of account creation and closure.
  • Keeping track of the date of last use allows for centralized cleanup of unused accounts.
    • Relevant recommendations R43 R44 R45 R50 R56 R59
    Relevant threats: T1 T6 T8 T9 T40
    Relevant ISS audit questions: Q24, Q26, Q31, Q32, Q36, Q37, Q96
    Keywords Linux, Windows, User, Account, Desktop, Authentication, Authorization, System Configuration, System, Administrator
    Recommendation Category:
    Technical - X Administrative -  Educational - X
    Copyright (c) Members of the
    ISSeG Collaboration
    2008    		 Top of page Home page Information Society and media logo

    This is version 5.2 of the website - view release notes
     -view visitor statistics