144
Networking: A Beginner's Guide
TIP
As a safety measure, also create a new account to be a backup of your administrative
account. Call it whatever you like (although less obvious names are better), give the account
security equivalence to the administrative account, and safely store the password. If something
happens that locks you out of the real administrative account, you can use the backup account to
regain access and correct the problem.
You should know the steps required to remove access to network resources
quickly from any user account and be sure to explore all network resources
that might contain their own security systems. For example, accounts will be
managed on the network operating system (and possibly on each server) and
also in specific applications, such as database servers or accounting systems.
Make sure that you find out how the system handles removed or deactivated
accounts. If you delete a user account in order to remove access, some systems
don't actually deny access to that user until they log out from the system.
Work closely with the human resources (HR) department. Make sure that the
HR staff is comfortable working with you on handling security issues related to
employee departures, and develop a checklist to use for standard employment
changes that affect IT. The HR department might not be able to give you
much--if any--advance notice, but it needs to understand that you need to
know about any terminations immediately, so you can take proper steps. Along
the same lines, you should develop a set of procedures on how you handle
accumulated e-mail, files, and other user access--both for friendly departures
and terminations. Your relationship with the appropriate people in the HR
department is crucial in being able to handle security well, so make sure that
you establish and maintain mutual trust.
Consider setting up a program whereby new users on the network have their
assigned permissions reviewed and signed off by their supervisor. This way,
you won't mistakenly give people access to things they shouldn't have.
For publicly traded companies, the advent of the Sarbanes-Oxley Act of 2002
(discussed in Chapter 1) means you will likely need to set up a system to
document how users of the network are added, modified, and removed from
the system. This type of system usually involves a set of request forms initiated
by the appropriate department (HR, accounting, and so on), signed by the
individual's supervisor and any other parties that need to authorize access to
certain systems, and then documents the IT staff's actions. These forms are
then filed and will be examined by the company's auditors.
Password Security
Another important aspect of account security is account password security. Most
network operating systems enable you to set policies related to password security.
These policies control how often the system forces users to change their passwords,