User security

Owned by Maarten Meijer
Last updated: Nov 23, 2017
2 min read

The SoftApp-distribution Active Directory has role-based access based on security groups. Accounts within the AD have only access to the parts they are allowed to based on their role. The Voice of O365 user accounts are Domain Users with disabled access to other items.The following principles are followed on user accounts.

  1. Enforce Strong Password Rules
    By now, you all know the benefits of strong passwords, but it’s probably too much to expect your users to use them willingly. To help them along, you really should enforce strong password rules in your domain (see "Enabling Strong Password Functionality in Windows 2000"). You can help your users by suggesting strategies such as the use of passphrases instead of confusing word/number/character combinations.


  2. Protect the Service Account’s Password
    As you know, service accounts are another sore subject. The nature of service accounts—used on application servers for the application’s service—makes a low-impact password change very difficult, and so the password is usually set to never expire. Because the account controls an important service (often on many servers), compromising the service account’s password is not something you want to happen. Though it may be difficult to solve the password change problem, you can take steps to mitigate the risk of attack or accidental changes. Give the accounts a naming convention that identifies them as service accounts and suggests what they’re used for. Put all of these accounts into a group named something like "Service Accounts" and apply a policy to your application servers to deny the "Log on Locally" policy but allow "Log on as a Service". Keep them in their own OU so you can apply GPOs unique to their requirements.


  3. Limit Access to the Administrator Account
    You should severely limit the number of people who have access to the real Administrator account and password. For the highest level of security, consider the nuclear password option: two (or more) administrators generate two (or more) eight-digit, random, strong passwords separate from each other; then each admin enters his password into the password field. (For a good password generator, take a look at www.winguides.com/security/password.php.) The account now has a password that is 16-digits or longer and that requires at least two administrators to log on; one administrator can’t do it alone.