PaulDotCom mailing list archives
Generic Users
From: Russell.Butturini at Healthways.com (Butturini, Russell)
Date: Sun, 6 Jun 2010 09:52:16 -0500
If memory serves, SOX/J-SOX forbid the use of generic accounts. I don't think they're the worst thing in the world personally if they're only being used to gain access to a machine and then there's a secondary layer of authentication to the applications, but I'm not an auditor either. ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com <pauldotcom-bounces at mail.pauldotcom.com> To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com> Sent: Sat Jun 05 23:58:16 2010 Subject: Re: [Pauldotcom] Generic Users Did they give a reason why a generic account is a bad thing? Personally, my biggest issue with those is accountability. Who is actually using those generic account? Those are typically shared accounts by different admins from my experience. Also, how do you keep control over who knows the password to those accounts? Some software, like SAP, force you to use generic accounts. In those cases, you should not make those accounts accessible over the network. Instead (this works for UNIX environments, have your users logon to the server and then su/sudo to that account. That leaves an audit trail. On Fri, Jun 4, 2010 at 5:45 PM, Vincent Lape <vlape at me.com<mailto:vlape at me.com>> wrote: Depending on the audit you can file a compensating control if the account uses a secure means of login. (such as ssh) and restrict where the accounts can login from and what commands the account can run. Without giving too much info what are these generic accounts used for? On Jun 4, 2010, at 1:59 AM, Cezar Spatariu Neagu <cezar.spatariu at gmail.com<mailto:cezar.spatariu at gmail.com>
wrote:
Hi all, I would like to ask you all about some "best practices" regarding generic users. I had an internal audit that point out that i do use generic users. My solution before this was to create many of them with very few rights. And I have some that I use in configuration files and I can not change the password. How shall I treat this issue? Thank you for the your inputs. Cezar Spatariu _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com<http://pauldotcom.com/>
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com<http://pauldotcom.com/> ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100606/99d1b619/attachment.htm
Current thread:
- Generic Users Cezar Spatariu Neagu (Jun 04)
- Generic Users Vincent Lape (Jun 04)
- Generic Users Francois Lachance (Jun 05)
- Generic Users Butturini, Russell (Jun 06)
- Generic Users Francois Lachance (Jun 05)
- Generic Users Vincent Lape (Jun 04)