Page 47 - Computer Software Application TP - Volume 1
P. 47

COMPUTER SOFTWARE APPLICATION - CITS


           EXERCISE 10 : Setting password policy


            Objectives

           At the end of this exercise you shall be able to
           •  implement a password policy.

           Requirements

           Tools/Materials

           •   PC laptop with network connectivity
           Procedure

           Setting up a password policy in a network is an essential security measure to protect sensitive information and
           resources from unauthorized access.
           Implement a password policy
           1  Assessment: Begin by assessing the current state of password security within your network. Understand the
              existing password practices, weaknesses, and areas that need improvement.
           2  Define Password Requirements: Determine the password requirements that users must adhere to. These
              requirements typically include:
              •  Minimum password length: Suggest a minimum length of 8-12 characters.
              •  Complexity:  Require  a  combination  of  uppercase  letters,  lowercase  letters,  numbers,  and  special
                 characters.
              •  Expiry: Set a policy for password expiration, such as every 90 days.
              •  History: Enforce a rule that prevents users from reusing old passwords.
              •  Lockout: Establish a threshold for failed login attempts before an account is locked out temporarily.
              •  Account Inactivity: Consider disabling or prompting for password change after a certain period of inactivity.
              •  Two-Factor Authentication (2FA): Encourage or mandate the use of 2FA where possible for an added
                 layer of security.
           3  Communicate Policy: Clearly communicate the password policy to all users within the network. Explain the
              rationale behind each requirement and the importance of adhering to them.
           4  Implement Policy: Utilize the network’s administrative tools or security software to enforce the password
              policy. This may involve configuring settings in:
              •  Active Directory (for Windows networks)
              •  Group Policy (for Windows networks)
              •  LDAP (Lightweight Directory Access Protocol)
              •  RADIUS (Remote Authentication Dial-In User Service)
              •  IAM (Identity and Access Management) solutions
              •  Password management tools
           5  Enforcement: Regularly monitor adherence to the password policy. Implement mechanisms to enforce the
              policy automatically, such as system prompts for password changes when they expire, or locking out accounts
              after multiple failed login attempts.
           6  Education  and  Training:  Conduct  training  sessions  or  provide  resources  to  educate  users  about  the
              importance of strong passwords, how to create them securely, and the consequences of weak password
              practices.
           7  Periodic Review and Update: Regularly review the password policy to ensure it remains effective and up-
              to-date with evolving security threats and best practices. Make necessary adjustments based on feedback,
              security incidents, or changes in regulations.
           8  Testing: Periodically conduct security audits or penetration tests to evaluate the effectiveness of the password
              policy and identify any vulnerabilities that need to be addressed.



                                                           32
   42   43   44   45   46   47   48   49   50   51   52