If memory serves, SOX/J-SOX forbid the use of generic accounts. I don't think
they're the worst thing in the world personally if they're only being used to
gain access to a machine and then there's a secondary layer of authentication
to the applications, but I'm not an auditor either.
________________________________
From: [email protected]
<[email protected]>
To: PaulDotCom Security Weekly Mailing List <[email protected]>
Sent: Sat Jun 05 23:58:16 2010
Subject: Re: [Pauldotcom] Generic Users
Did they give a reason why a generic account is a bad thing? Personally, my
biggest issue with those is accountability. Who is actually using those
generic account? Those are typically shared accounts by different admins from
my experience. Also, how do you keep control over who knows the password to
those accounts?
Some software, like SAP, force you to use generic accounts. In those cases,
you should not make those accounts accessible over the network. Instead (this
works for UNIX environments, have your users logon to the server and then
su/sudo to that account. That leaves an audit trail.
On Fri, Jun 4, 2010 at 5:45 PM, Vincent Lape
<[email protected]<mailto:[email protected]>> wrote:
Depending on the audit you can file a compensating control if the
account uses a secure means of login. (such as ssh) and restrict where
the accounts can login from and what commands the account can run.
Without giving too much info what are these generic accounts used for?
On Jun 4, 2010, at 1:59 AM, Cezar Spatariu Neagu
<[email protected]<mailto:[email protected]>
> wrote:
> Hi all,
>
> I would like to ask you all about some "best practices" regarding
> generic users. I had an internal audit that point out that i do use
> generic users.
> My solution before this was to create many of them with very few
> rights.
> And I have some that I use in configuration files and I can not change
> the password.
> How shall I treat this issue?
>
> Thank you for the your inputs.
>
> Cezar Spatariu
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]<mailto:[email protected]>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com<http://pauldotcom.com/>
_______________________________________________
Pauldotcom mailing list
[email protected]<mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com<http://pauldotcom.com/>
******************************************************************************
This email contains confidential and proprietary information and is not to be
used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
