- Do not use privileged accounts tied to Career Accounts or regular user accounts
- Use only for administrative activities
- Use a separate account for non-administrative activities such as internet browsing, email, reading or editing general documents
- Where possible, creation of Privileged Accounts should follow a standard naming convention to associate to the user. Include user initials (3 – 4) + department where account is being used (3 -7) + system where privileges are granted (3) + optional extra (1).
- jhsPVMITdsk - Jane H. Smith in PVM-IT desktop support
- jhsiamoOUa - John H. Smith in IAMO with an OU admin role
- jhs2iamoOUa – Another John H. Smith in IAMO with an OU admin role
- Maintain inventory of privileged accounts
- Leverage automated tools where possible to inventory all administrative accounts, including domain and local accounts
- Use a password vault or privileged account management system (e.g. MS Local Administrator Password Solution)
- Use multi-factor authentication
- Follow the University user credentials standards for password creation
- Set password expiration to 90 days
- Before deploying new assets, change default passwords to have values consistent with administrative level accounts
- Where multi-factor authentication is not supported (such as local administrator, root, or service accounts) use unique passwords for all accounts, don’t use same password for a privileged account and user account or personal accounts
- Do not hardcode passwords within scripts or programs without strong encryption
- Ensure an administrative workstation is segmented from the public network and prohibit or restrict internet access (machine will not be used for email, browsing internet)
- Use only for administrative activities and not internet browsing, email, similar activities
- Do not use personal devices
- Use VPN or other encrypted remote access mechanisms
- VPN administrators should configure VPN as a full tunnel for administrative VPN profiles that are used by remote users
Secure Configuration for Servers, Workstations and Laptops, Mobile Devices
(Includes CIS Controls 2, 3, 5, 6, 8, 9, 11, 13, 14, and 15)- Maintain documented security configuration standards for all authorized operating systems and software
- Maintain secure hardened images
- Securely store master images
- Validate with integrity monitoring tools
- Deploy configuration management tools that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals
- For those areas where use of removable media is necessary, require devices to be encrypted and removed and stored securely when not in use
Secure Purdue System Administrator’s Resources
Benchmarks - Center for Internet Security (CIS)
While there are a number of commercial or external benchmark tools and guidelines available to system administrators to provide best practice standards for security configuration, IT Purdue Systems Security recommends the use of benchmarks created by the Center for Internet Security (CIS), if the system is not centrally supported. The Center for Internet Security (CIS) helps organizations reduce risks incurred from the use of inadequate technical security controls. CIS distributes consensus best practice benchmarks for security configuration. These benchmarks are unique because they are created by consensus by hundreds of security professionals worldwide. The benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as the Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), HIPAA, FERPA, and other information security regulatory requirements.
Purdue University is a member of the CIS, and as such has the right to distribute the benchmarks and tools for use within Purdue University. IT Purdue Systems Security recommends the CIS benchmarks for consultation and use by Purdue University System Administrators when no other specific Purdue University policy, standard, guideline, or procedure applies to the underlying system.
Any number of Purdue University employees may obtain a user account on the CIS Members Site. To register, go to https://enroll.cisecurity.org/#/ and click Apply link. (This page is also accessible via link from home page of the public web site http://www.cisecurity.org). Complete and submit the registration information. Within 24 hours you will receive an email indicating that your registration has been activated. Then you can enter the site using the username and password you selected.
All the CIS Benchmarks, and several software Scoring Tools that can be used to compare the configuration of Purdue systems to the benchmarks, are distributed from the CIS Public Web site at http://www.cisecurity.org. There is no need to register for access to that site. On the Members Web Site Purdue employees have access to CIS Scoring Tools with specialized features, including:
- A command line version that eases deployment of the tool and scoring of networked systems.
- A version that reads customized input files, enabling users to compare the configuration of their systems with both the CIS benchmarks and their organization's local configuration policies.
The CIS Members Web Site also contains various discussion forums and development versions of new Benchmarks and Scoring Tools. Please note that IT Purdue Systems Security does not provide support for the tools and benchmarks available from CIS. To read more about the benchmarks, please visit: https://benchmarks.cisecurity.org/
- IT Guidelines
- Cloud Computing Consumer Guidelines
- End User Security Guidelines
- Media Disposal Guidelines
- System Administrators Security Guidelines
- Implementation Readiness
