Security+: Account Management Best Practices (SY0-401) [DECOMMISSIONED ARTICLE]

Fakhar Imam
February 1, 2018 by
Fakhar Imam

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


In the evolving world of cybercrime, malicious actors are posing grave threats to individual and companies’ authentication mechanisms. Fortunately, Security+ candidates learn account management best practices to make advances in the realm of authentication technologies. Below are some examples of account management best practices that will be important to learn when taking the Security+ exam.

What Can You Do to Mitigate Issues Associated With Users Who Have Multiple Accounts/Roles/Shared Accounts?

Most organizations set up different standards and parameters to force their employees to conform to such policies. However, organizations must consider the employees’ capabilities when establishing these parameters. For example, if people are not computer savvy in an enterprise, the IT managers of that enterprise need a good deal of time to teach them how to use authentications such as recover and remember passwords.

If the user has multiple roles within the company, each of her roles should have a separate user account. The user can also have administrative accounts along with local accounts. However, having multiple accounts put an extra burden on her to keep authentication discrete. To resolve this issue, the user can employ multifactor authentication that prevents the use of the same password for each account.

Another issue related to users is that they often forget to sign out of their accounts when they leave the office at the end of the day. To avert such issues, the organizations should implement multifactor authentication that could include a smart card and a login process. Some smart card authentications require the user to keep the smart card inserted until the end of the work. When the user removes the smart card, the authentication system will log her out automatically.

User-related authentication issues have become grave concerns for organizations today. Below are some guidelines that are helpful when setting authentication security:

  • Users’ awareness and training with regard to authentication should be a top priority of the companies when discussing IT security. The users should not use common and predictable passwords such as 1234, 0000, and the name of prestigious athletes, teams, or sports tournaments (such as “SuperBowl” every February). On December 2017, SplashData (makers of the password managers Teams ID, Splash ID, and Gpass) published its annual list of the worst passwords of the year.
  • Always use identity proofing whenever an issue arises between identification and authentication. Identification is accomplished when a user types his login name into the log-on forum. The authentication process starts when a user accesses the resource by providing the proper password.

Authentication Protocols: Various authentication protocols are available that can be used to authenticate a user to a system. These include:

  • HMAC-Based One-Time Password (HOTP)
  • Time-Based On-Time Password (TOTP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Password Authentication Protocol (PAP)

What Do I Need to Know About Account Policy Enforcement for the Exam?

Account policy enforcement encompasses some important features of passwords, such as the use of characters, numbers, and special characters, password change period and so on. The users must use complex passwords that are highly resistible against attacks (such as dictionary attacks) because weak passwords can provide various potential avenues to malicious actors. Account policy enforcement modifies the risky behaviors of those that are unable to use strong passphrases and memorize them. Below are some essential elements of account policy enforcement.

Credential Management: This is a software product or service designed to manage, track, and store user credentials. Organizations can employ hundreds or thousands of employees for whom credential management is an essential element of their overall security plan. It can also be used for end-user deployments. A person could store all of their online credentials in a cloud-based or local digital container. There are several examples of these products such as Dashlane, KeePass 2, 1Password, and LastPass.

Group Policy: Group policy is a Microsoft Windows feature used to control user accounts. Group policy uses Active Directory to provide configuration of user settings, applications, and even operating systems. Active directory automates network management of user accounts, their security, and distributed resources. Group policy also involves Group Policy Object (GPO), which is a set of registry settings that can be applied during the boot-up process of a system or when the user performs a login process. GPO also provides numerous settings for credentials such as password length, password history, and password complexity requirements.

Password Complexity: Compromising stringent passwords can be a Gordian Knot. On one hand, they may need to involve various numbers, characters, special characters and their combinations. On the other, complex passwords are difficult to memorize for users. The most common standard today offers the use of eight characters (uppercase and lowercase) that might include one or more of the following sets.

  • Non-alpha characters (!, #, $, %, ^, and so on)
  • 0-9
  • A-Z
  • a-z

Expiration: Although long and complex passwords can remain static, many organizations set a password expiration period, which is 90 days by a common rule of thumb, to force workers to change their passwords. In some circumstances, the password change is imperative, such as:

  • When a password is violating corporate password policy
  • When a password is weak and insecure
  • When it is being reused by someone else
  • It is being compromised on account of system intrusions

Recovery: Password recovery is utilized when a user forgets her password. However, password recovery is not a good approach. Therefore, the user must change the password instead of recovering it.

Disabling: When a user leaves an organization for a certain period (for example, maternity leave), her account should be disabled until she rejoins the office again. If she leaves the company or abdicates her responsibility forever, the account should be terminated permanently.

Lockout: Repeated attempts explicitly indicate that someone is trying to access the account with mala fide intentions. Often, would-be attackers carry out such types of attacks to find a match with the original password. If someone puts an incorrect value repeatedly, the account should be locked out immediately. A lockout policy should incorporate Account Lockout Duration, Account Lockout Threshold (determining how many failed login attempts have been made), and Reset Account Lockout Counter After (it specifies the time to wait before the account is locked).

Password History and Reuse: Password history is used to track previous passwords (by archiving) to prevent the reuse of passwords. Password reuse takes place when someone uses the previous password on the same computer.

Password Length: Password strength can be measured in terms of its length and complexity. Passwords with a length less than 7 characters could provide myriad potential avenues to miscreants. Today, passwords having at least 8 characters are considered secured against password attacks including Dictionary attacks, Brute Force attacks, Rainbow Table, Phishing, and Social Engineering.

Generic Account Prohibition: This rule states that no generic, anonymous or shared account should be used in a system or network where security is indispensable. In fact, generic accounts subvert the accountability mechanism. If a user violates company policy, he will be accountable for his action only if he has a unique account. Contrarily, the generic account may hold numerous individuals or users responsible for a single deplorable act.

What Do I Need to Know About Group-based and User-Assigned Privileges?

Using group-based privileges, the administrator provides access to a resource to all group members collectively instead of providing separate access to each member. The access should be equal and the same to all members. Several operating systems including Windows, Linux, and UNIX use group-based privileges on every subject. Another important consideration when assigning group-based privileges is the principle of least privilege. Least privilege is the minimum level of access provided to users so that they can perform a particular task.

User-assigned privileges are provided by the user. For example, Windows files often include two types of permissions, including settings for either read-only or both read and write. The user may provide permission depending on whether the file recipient is trusted. In Linux, all objects have owner assigned values. In Windows, on the other hand, an ACE focuses on a user to provide access or deny permissions on the objects.

What Are the Best Practices When It Comes to Continuous Monitoring?

Continuous monitoring ensures user accountability by using her access reviews. It acts as a deterrence technique that prevents users from violating rules and regulations or company policy. Continuous monitoring is very effective for security contracts and government organs, especially security-related organs.

To make it more effective, the continuous monitoring of the users should commence as soon as they assume the office and until the end of the day when they leave the office. During that time, their entire activities, including access to resources and services, should also be tracked.

Are You a Security+ Aspirant and Looking for Some Help?

If yes, then InfoSec Institute is the right choice for you. As a matter of fact, the InfoSec offers a Security+ Boot Camp that teaches you the information theory, as well as reinforces theory with hands-on exercises that help you “learn by doing.”

Moreover, the InfoSec has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.

InfoSec also offers thousands of articles on all manner of security topics.

Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.