Password policies aren't the only way to control access to your Windows systems. An account that grants access to your computer systems is a privilege not a right. Not everyone should have an account, nor should employees with accounts have unrestricted access to your systems. You don't make everyone an administrator, right? So why not restrict access using all the tools at your disposal? I don't mean you should invest in chains, whips or restrictive leather gear -- just use native Windows tools like account options to limit system access, as you'll learn in the checklist below. Following the checklist, you'll find steps for actually locating and changing account options in Active Directory.
You may download a printer-friendly version.
|Checklist: Set account options to limit systems access|
|Set logon hours|
|This is the span of time users are authorized to logon. Restricting logon to normal work hours prevents users, or anyone who learns their account and password information, from accessing your network at off hours when few people are around to discover the unauthorized access. Setting logon hours can also hamper unauthorized use of remote access during those hours.|
|Set log-on-to machines|
|Being able to logon from any computer in the domain is a nice convenience, but it's a bit too risqué for me. Selecting specific computers to use for logon may help prevent unauthorized actions that could result in data theft or damage. It is especially important to limit guests, temporary workers, students and contractors.|
|Set "Smart card is required for interactive logon" where smart cards are used|
|If you don't require smart cards for interactive logon, users may forgo their smart card and use a password instead. You don't want this to happen. Smart card technology helps you escape the many weaknesses of password use. If users can choose whether or not to use their smart cards, you've lost that advantage. Also, users won't have to report a lost smart card in order to get a new one; if the wrong person finds an envelope with a smart card inside and the PIN number written on it -- game over.
As a general rule, users should never store PIN numbers with their smart cards, but there is no way to guarantee they won't. If a user reports a missing smart card and must receive a new one to logon, revoke the certificate assigned to the smart card to prevent the use of the lost card.
|Set "Account is sensitive and cannot be delegated," at least for administrator accounts|
|Account delegation is a useful tool for multi-tiered applications. It enables you to delegate authority for access, and gain tighter control and accountability of that access. However, delegating administrator accounts is not a good idea. Prevent that from happening by checking the "Account is sensitive and cannot be delegated" box.|
|Set an account expiration date|
|Many of you hire part-time help, contractors and other temporary workers. When they (or any regular employees) leave their jobs, are you immediately made aware of the change so you can disable and eventually delete their accounts? Leaving excess accounts enabled on your systems is not a good security move. The compromise and use of these accounts might go unnoticed for a very long time. If all accounts have expiration dates set, temporary workers will need to have it extended in order to work past their length of service. If they leave early, at least the account will be expired. If setting account expiration dates for all employees is difficult to manage, at least set expiration dates for temporary workers.|
|How to locate and change account options in an Active Directory domain|
|Open Active Directory Users and Computers, navigate to the container where user accounts are stored (either the Users container or possibly several organizational units depending on your Active Directory design) and double click on the user account. To make changes, click on the check boxes or manipulate other controls. User details on a standalone Windows 2000, Windows XP or Windows Server 2003 computer can be found in the Computer Management\Local Users and Groups\Users container. However, many of the account details described above are not accessible there. To use those that make sense, you'll have to use the Net User command. Net User is also helpful in a domain. Use it to change account options for multiple accounts at one time. Alternatively write a script. Information on doing both can be found at Microsoft's support site and Microsoft TechNet.|
Note from the author: I'm listening. Several of you asked for help implementing some of my previous security checklist recommendations. I'm afraid I can't provide explicit, detailed instructions -- there wouldn't be room in this column for the checklist! However, going forward, I'll try to make room for a pointer or two, or include links to find more information. If you have specific questions or comments about any of my checklists, e-mail me directly.
|ABOUT THE AUTHOR: Go back|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in October 2004