User Security :
Determine that the user log in identification and authentication process are properly configured and that users are assigned to operating system groups which are consistent with their job requirements for system access.
1. Obtaining the documented security policies and procedures for the operating system server environment. Use the User Manager utility to display the global log in accounts security parameters and review and assess the following settings:
a. Forcibly disconnect remote users (forces users to log off the system after a predetermined limit of time).
b. Minimum password age in days
c. Maximum password age in days
d. Minimum password length
e. Password uniqueness (number of past passwords disallowed forfuture use)
f. Account lockout after ‘X’ number of bad log in attempts
g. Account lockout—reset the bad log in count after ‘X’ number of minutes
h. Accounting lockout duration—require administrator to unlock or automatically unlock after X number of minutes.
i. User must log on to change password (may allow or restrict users with expired passwords from logging on and changing the password themselves or requiring an administrator to change the password for them)
2. Determine that the Administrator (super user) and Guest accounts have passwords assigned to them (by attempting to log on without providing a
password). Also ascertain that the Administrator account password is well controlled and used/ known by only the system administrator and a backup
person.
3. Using the User Manager utility, review the following account property settings active in each user’s individual profile, which may override the
global account policy:
a. Full name (should be used to facilitate ID management).
b. Description (job, department, etc.).
c. Change password at next log in (should be used for new users’ initial log in).
d. User cannot change password (forces administrator to manage the password; may be used for vendor and other third-party accounts).
e. Password never expires (may be used to override the global restriction in the Accounts Policy).
f. Account disabled.
g. Account locked out.
h. Groups (cross-reference to group’s audit procedures).
i. Profile (each user should have a home directory, path statement, and log in script).
j. Hours (log in time restrictions).
k. Log on to (restricts workstations from which the user may log in from).
l. Account (specifies local or global and may specify an expiration date).
4. Using the User Manager utility, review and assess User Rights assigned to groups and individual users.
5. Use the User Manager utility to view and assess membership in the sensitive built-in groups: Administrators, Domain Administrators, and
Account Operators. Assess the appropriateness of users assigned to these groups.
6. Using the User manager utility, document user membership in groups used to grant access to resources with audit significance (application program and data directories and files), cross-reference to review file system security audit steps, and assess appropriateness of each user’s membership in groups.