Checklist: Set account options to limit systems access

Password policies aren't the only way to control access to your Windows systems. An account that grants access to your computer systems is a privilege not a right. Not everyone should have an account, nor should employees with accounts have unrestricted access to your systems. You don't make everyone an administrator, right? So why not restrict access using all the tools at your disposal? I don't mean you should invest in chains, whips or restrictive leather gear -- just use native Windows tools like account options to limit system access, as you'll learn in the checklist below. Following the checklist, you'll find steps for actually locating and changing account options in Active Directory.

You may download a printer-friendly version.

Checklist: Set account options to limit systems access

Set logon hours

This is the span of time users are authorized to logon. Restricting logon to normal work hours prevents users, or anyone who learns their account and password information,

from accessing your network at off hours when few people are around to discover the unauthorized access. Setting logon hours can also hamper unauthorized use of

remote access during those hours.

Set log-on-to machines

Being able to logon from any computer in the domain is a nice convenience, but it's a bit too risqué for me. Selecting specific computers to use for logon may help prevent unauthorized

actions that could result in data theft or damage. It is especially important to limit guests, temporary workers, students and contractors.

Set "Smart card is required for interactive logon" where smart cards are used

If you don't require smart cards for interactive logon, users may forgo their smart card and use a password instead. You don't want this to happen. Smart card technology helps you

escape the many weaknesses of password use. If users can choose whether or not to use their smart cards, you've lost that advantage. Also, users won't have to report a lost smart

card in order to get a new one; if the wrong person finds an envelope with a smart card inside and the PIN number written on it -- game over.

As a general rule, users should never store PIN numbers with their smart cards, but there is no way to guarantee they won't. If a user reports a missing smart card and must receive

a new one to logon, revoke the certificate assigned to the smart card to prevent the use of the lost card.

Set "Account is sensitive and cannot be delegated," at least for administrator accounts

Account delegation is a useful tool for multi-tiered applications. It enables you to delegate authority for access, and gain tighter control and accountability of that access. However,

delegating administrator accounts is not a good idea. Prevent that from happening by checking the "Account is sensitive and cannot be delegated" box.

Set an account expiration date

Many of you hire part-time help, contractors and other temporary workers. When they (or any regular employees) leave their jobs, are you immediately made aware of the change so you

can disable and eventually delete their accounts? Leaving excess accounts enabled on your systems is not a good security move. The compromise and use of these accounts

might go unnoticed for a very long time. If all accounts have expiration dates set, temporary workers will need to have it extended in order to work past their length of service. If they

leave early, at least the account will be expired. If setting account expiration dates for all employees is difficult to manage, at least set expiration dates for temporary workers.

How to locate and change account options in an Active Directory domain

Open Active Directory Users and Computers, navigate to the container where user accounts are stored (either the Users container or possibly several organizational units depending

on your Active Directory design) and double click on the user account. To make changes, click on the check boxes or manipulate other controls. User details on a standalone

Windows 2000, Windows XP or Windows Server 2003 computer can be found in the Computer Management\Local Users and Groups\Users container. However, many of the

account details described above are not accessible there. To use those that make sense, you'll have to use the Net User command. Net User is also helpful in a domain. Use it to

change account options for multiple accounts at one time. Alternatively write a script. Information on doing both can be found at Microsoft's support site and Microsoft TechNet.

Note from the author: I'm listening. Several of you asked for help implementing some of my previous security checklist recommendations. I'm afraid I can't provide explicit, detailed instructions -- there wouldn't be room in this column for the checklist! However, going forward, I'll try to make room for a pointer or two, or include links to find more information. If you have specific questions or comments about any of my checklists, e-mail me directly.

ABOUT THE AUTHOR:   Go back

Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker. Click to ask Roberta a question or purchase her book here. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.