Operating System Access Control
User Identification and Authentication
All users shall be identified and authenticated with the minimum of a unique identification and a password before access to operating systems is granted. This will minimise the opportunity for unauthorised access to information resources at the operating system level by providing a means of user authentication. If access to the operating system is not necessary, such as when the user has access to an application (only) running on the system, then operating system access must not be given to the user.
If operating system access is necessary, such access will abide by the following rules:
- All users shall have a unique user account
- All users shall have a unique password
- Users’ passwords will give no indication to their privilege level
Additional authentication technique(s) will be used in combination with user IDs to provide further security in authentication including:
- Passwords
- Cryptographic and authentication protocols
- Memory tokens or smart cards
- Biometrics
Password Program
All passwords for systems and applications must be individual, effective, and of sufficient quality to deter compromise. Systems and applications must be configured to programmatically enforce these rules if available. In the absence of programmatic enforcement, the user will be responsible for enforcing these rules themselves.
Default passwords will be changed as soon as a new application/system is installed. Default support accounts, where possible, must be disabled and only enabled when required to troubleshoot an issue. Once the issue has been addressed, the account must be disabled again.
User Account Review/Audit
All user accounts shall be reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist. User/group roles and access rights shall be reviewed on a regular basis to ensure that no user or group has excessive privileges.
Use of System Utilities
Access to system utilities for non-administrators should be restricted to minimise the opportunity for unauthorised access to or modification to information resources.
All unnecessary system utilities shall be removed from server systems. Unnecessary system utilities should be removed from desktop/laptop systems as appropriate.