• No results found

e-governance Password Management Guidelines Draft 0.1

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "e-governance Password Management Guidelines Draft 0.1"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Password Management Guidelines

Draft 0.1

DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of

India.

(2)

Document Classification: Internal Page 2 of 10

Document Control

S. No. Type of Information Document Data

1. Document Title eGov Password Management Guidelines

2. Document Code GL_eGov_AM

3. Date of Release 4. Next Review Date

5. Document Owner DietY

6. Document Author(s) 7. Document Reviewer

8. Document Reference PR_eGov_UAMP

Document Approval

S. No. Document Approver Approver Designation Approver E-mail ID

Document Change History Version

No. Revision Date Nature of Change Date of

Approval

(3)

Document Classification: Internal Page 3 of 10

1. INTRODUCTION ... 4

2. PURPOSE ... 4

3. SCOPE ... 5

4. PASSWORD MANAGEMENT & CONSTRUCTION ... 5

4.1. ACTIVE DIRECTORY ENVIRONMENT ... 5

4.2. UNIX SYSTEMS ... 5

4.3. PASSWORD ALLOCATION PROCESS ... 5

4.4. PASSWORD RESET PROCESS ... 6

4.5. PASSWORD MANAGEMENT GUIDELINES ... 6

4.6.

E-SAFE RECOMMENDATION ... 8

4.7. ROLES AND RESPONSIBILITY ... 10

(4)

Document Classification: Internal Page 4 of 10

1. INTRODUCTION

Any compromise to the confidentiality, integrity or availability of e-Gov networks, systems or information could impair the ability of e-Gov Service delivery. Adverse public exposure brought on by a compromise would damage e-Gov’s credibility across the country. Ensuring that e-Gov departments and public data are kept secure is a vital element in e-Gov’s approach to security.

This document establishes the e-Gov Password Management Guidelines to implement password controls i.e. e-Gov Password Policy (refer in e-Gov Security Policy (eSP) ). The document is the outline of requirements for creating and protecting passwords within the e-Gov service delivery environment across states, ministries or departments.

Asset owners i.e. Department or application owners must perform a risk assessment of assets (application or data) held in the specific system to arrive at the criticality of asset/s.( Refer the e-Governance Security Standards Framework (eSAFE) section GD300 Risk Assesment: Guidelines for Information Security Risk Assessment and Management in an e-Governance project). Accordingly the advanced security features can be

implemented as control improvements ( refer e-SAFE ( GD 210): Guidelines for implementing chosen security controls).

The last section of this document deals with control recommendations and improvements as per e-SAFE ( e-Governance Security Assurance Framework)

2. PURPOSE

The principal objective of this document is to provide general guidelines for the

protection of passwords used by people who have privileged and non-privileged access to multiple servers, systems and applications. Care and maintenance of these passwords is imperative to ensure computer accounts are not improperly accessed and e-Gov

information is not compromised, and subsequently to mitigate the associated risks.

Compliance with these guidelines will help ensure the departments to comply with of e-

Gov Password policy requirements.

(5)

Document Classification: Internal Page 5 of 10

This guideline does not supersede the requirements of the e-Gov Password Policy and/or state specific password polices but is designed to augment the policy. The policy is

applicable to all assets and information systems deployed in e-Gov Service delivery framework.

These guidelines will suffice to comply with minimum baseline requirements of eSP recommended by eSAFE standard and best practices.

4. PASSWORD MANAGEMENT & CONSTRUCTION

All account passwords should follow the e-Gov or applicable Password Policy. Where possible, privileged user accounts should be tied into a centrally managed system such as Active Directory or Novell eDirectory and avoid using local system accounts. This provides a mechanism to enforce password policy and account management along with auditing of password change guidelines.

4.1. ACTIVE DIRECTORY ENVIRONMENT

When utilizing Active Directory (AD), rights should be managed by roles. These roles should be defined at the highest level (global, enterprise, regional, and local) possible to allow for the simplest management. Password complexity should be enabled in the domain controllers to ensure e-Gov password policy is complied with.

4.2. UNIX SYSTEMS

Often UNIX hosts are not part of a larger directory structure such as AD but are more likely to be stand-alone devices. These UNIX hosts that are not incorporated into a mature directory structure must meet the same requirements as it pertains to user and password management within the AD infrastructure.

4.3. PASSWORD ALLOCATION PROCESS

(6)

Document Classification: Internal Page 6 of 10

In order to ensure that passwords are communicated only to the relevant user, they should be communicated back to the originator of the request or the person to whom this is assigned

Passwords should be communicated securely to the users like use of encrypted emails could be done for communicating the passwords to the users

All initial passwords should be “Forced to Modify” on the first usage

4.4. PASSWORD RESET PROCESS

Users/ administrators during the course of time may forget their passwords, in which case the same has to be reset. If the password reset is not done in a proper and secure manner, it is possible for unauthorized users to ask for passwords of authorized users to be reset and gain access to systems.

Password reset requests should come from appropriate channels to system administrators/ application administrators

If the user has forgotten his email ID password or is not able to login to his email account he/ she should personally raise a password change request as per the formally managed process in place viz. Service Desk. Responsible team should verify the user identity and then forward the password change request to system administrators

The designated personnel should confirm the request with the person who has requested the reset. On his satisfaction, the new password should be allocated and confirmed back to the end user only.

In the event of suspected compromise of password or disclosure, user shall require to raise a security incident. He/ She should also inform designated team viz. Service Desk immediately. Subsequently the password should be changed and communicated to user.

Before changing the password, the the Service Desk should authenticate the user.

A log of password resets, wherever possible should be maintained for auditing purposes.

4.5. PASSWORD MANAGEMENT GUIDELINES

Following e-Gov Password policy controls should be enforced so that all the system

accounts are bound to have password of minimum desired quality.

(7)

Document Classification: Internal Page 7 of 10

feature provided by Windows NT/2003/2008. The system should grant access to the domain, provided the user Id and passwords are correct.

 If any application or data base that are not integrated with active directory services (ADS), it should have provisions of creating unique user Ids and passwords to authenticate users prior accessing the systems

 Passwords should be encrypted when stored in files or databases. Access to this field of the database should be restricted to only system security administrators

 Passwords should not be transmitted in clear text form over any kind of network

 Authentication, authorization and accounting for all critical network devices should be done through centrally controlled server and access for same should be provided to specific security administrators

 Password complexity requirements should be enforced using domain policies. The complexity requirements should include minimum of following points:

 Minimum password age should be set for one day

 Minimum password length should of eight characters

 Record of last 5 passwords should be maintained in order to prevent its reuse

 Password should contain a mix of alphabetic and non-alphabetic characters (number, punctuation or special characters) or a mix of at least two types of non-alphabetic characters

 Policy should be set such that password for all users having normal access as well as privilege users to systems expires in 45 days

 Policy should be enforced to lock the user account after 5 successive invalid login attempts

 Account lockout duration and reset account lockout duration should be set for 30 minutes for desktops

 If administrative privileged account is locked out, then the user should not be able

to login until the account is unlocked by the system administrator

(8)

Document Classification: Internal Page 8 of 10

 By default, all applications and systems should be configured to not display passwords on the screen while being keyed in

 Policy should be set to audit user account login/logout, to ensure each user can be held accountable for his/her act

 Logs for all the activities should be maintained for 90 days. Logs of unsuccessful attempts and suspected successful attempts should be reviewed by designated administrators periodically

 Default accounts should be disabled and/ or default passwords should be changed immediately by adhering to the base line hardening procedures for the systems and applications

 Provide proper user awareness trainings to all the users (including the third party vendor employees, contract employees) to ensure password procedures and policies are followed by all the users

 Force users to change the temporary password given during the account creation at the first log-on

4.6. E-SAFE RECOMMENDATION

Besides the aforementioned exhaustive list of controls laid down in e-Gov Password Policy, following guidelines should be followed at in application code ( APPLICATION CLASS) and infrastructure ( INFRASTRUCTURE CLASS) as recommended by e-SAFE as per the criticality of the environment. (Refer Guidelines for Implementation of Security Control ( GD 210): Guidelines for implementing chosen security controls)

I. Following list of control improvements are recommended for applications in e- SAFE application class.

 Application should not allow creation or use of weak passwords by users

 Maintain a record/history of specified no of previously used passwords to prevent re-use.

 Define the requirement of the control mechanisms in RFP and/or SRS.

(9)

Document Classification: Internal Page 9 of 10

II. Following list of controls are best practices to be followed in e-Gov environment recommended in e-SAFE Infrastructure class.

 In some of the devices, by default the authentication scheme is not present or default system accounts are without password. Such default system accounts without password shall be disabled.

 The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability.

 The default passwords of the devices (e.g. network routers, switches, Access point etc.) should be changed during installation and this practice should be integrated with the organizational procedure for installation of the computing and communication devices. · The keeper of master passwords should be a trusted employee like Project Manager belonging to e-Governance Information Security Working Group ( ISWG), available during emergencies. Any copies of the master passwords must be stored in a very secure location (a sealed envelope or a properly access controlled repository with limited access).

 The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secured and be changed frequently.

 Authority to change master passwords should be limited to trusted employees. A password audit record, especially for master passwords, should be maintained separately from the control system.

 Store password files separately from application system data.

III. Following list of control improvements are recommended for applications in e- SAFE application class.

 The organization should adopt a managed process to verify the identity of the requestor for resetting or reissue of the account password.

 The system should store the password not in clear text and should eliminate use of weak hash (NTLM hash instead of LANMAN hash or salted MD5)

 The organization should discourage use of group account and sharing of account

credentials and enforce the use of individual user IDs and passwords to maintain

accountability.

(10)

Document Classification: Internal Page 10 of 10

 For highly sensitive system, the ‘root’ or ‘administrator’ password shall be broken into two parts and each part will be available with two different persons to minimize the security risk by person. In environments with a high risk of

interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider

supplementing password authentication with other forms of authentication such as challenge/response or multi-factor authentication using biometric like thumb impression, physical tokens(RSA token), smart card or USB token having digital certificate.

4.7. ROLES AND RESPONSIBILITY

Role Responsibility

Service desk/Helpdesk  Ensure proper user identification is done

System Administrator/

Application Administrator

 Generation of passwords

 Ensuring that users are forced to change the passwords after logging first time

 Resetting the passwords and communicating the same to the user

CISO

 Ensure appropriate policies are configured to meet the requirements of password management guidelines

 Ensure proper user awareness trainings are done to

educated users on use of password and its management

References

Download now ( PDF - 10 Page - 0.95 MB )

Related documents

Active Directory Password Policy Best Practices

High privileged account of active password best practices which are changed several other domain should ensure a domain local groups to a customer experience while the

Who Holds the Keys to Your IT Kingdom? Four Key Steps to Securing Privileged Identities in Healthcare

Automated Alternatives to Enforce and Propagate Password Rules Privileged identity management software makes complying with password strength, diversity and change rules

Password Management. Password Management Guide Simphony

 After changing the DB user passwords it is necessary to change the connection parameters for the Simphony application4.  Before any database passwords can be changed, all

Changing Passwords in Cisco Unity 8.x

Note that you use Active Directory Users and Computers in the procedure “ To Change the Password for an Active Directory Account That Cisco Unity Services Log On As .” If the

IT User Account Password Guidelines

Type in New Password and Confirm Password (Password is case

How To Manage A Privileged Account Management

Password Safe is an automated password management solution offering access control and auditing for any privileged account, such as shared administrative accounts, application

More information >>> HERE

password in active directory windows server 2008 28106 reset password macbook no cd Tuc6HioT windows administrator password 3tMY5W8g reset password on windows 7 0mns reset

Full version is >>> HERE

download reset password windows vista, change user password active directory c#, unrar password protected android, password pro hacker facebook v1.5, skype reset password