3 ไม่มีการกำหนดและบังคับใช้นโยบายรห

3 do not have to define and enforce password policies.From the review to define and enforce password policies for OS HP-UX GFUX125 GFUX102 hosting machine and found that at present do not have to define and enforce password policies to control security and user account logon attempts as well as work performed by non-authorized users by guessing the password of a user account that has no password available with sufficient complexity, high non-defining and enforce password policies pose a risk to the security of information technology, for example, users might not be able to perform.The password is complex enough, and change your password regularly. To prevent guessing passwords from malicious users or intruders system. Should be set and enforce password policies to prevent risks to the information technology security by implementing password policy should include the following policy.• The length of the password: 6-8. The letters• Lifetime password: 60-90 days.• Lifetime minimum password: 1 Day• To prevent duplicate password usage: 8-12. Times.• To access the password if the password is not valid: 3-5. Times. 4 are allowed to log on using a user account directly to the Root.To review the configuration of secure channel to log on by using an account Root file/etc/securetty information and history of the user account from the Last command that is allowed to use the Root user account to gain access to the operating system directly. Medium to allow access to the operating system by using the Root user account directly through Telnet, for example, pose a risk to the security of the information, such as passwords, are capturing because the communication channel is encrypted, including the administrator of security products.Fewer can check back if any admin officer as a Root user account should be carried out to define the channel security for the Root user account by using a secure Protocol, as well as forcing users to authenticate a user before and regular action to change the Root user permissions by using the Switch user (SU) in order to retain the ability to check back if any worker representative as the user Root account during those times.There are 5 user accounts that are not being used, the operating system is on hold.From the user accounts list to review the work on the HP-UX operating system, found that there is a user account that does not have the remain active on the system.GFUX102 user account that does not have an active user account on hold 18.GFUX125 user account that does not have an active user account on hold 12.See more details in Appendix 1. intermediate accounting users who do not have the remain active on the system, causing a risk of intrusion system. Based on the user account because there is no responsible and difficult to verify should be to review the list of user accounts on the Windows operating system on a regular basis. By and suspend or cancel user accounts that are not being used. 6 use a shared account in the group who developed the system.From the review list of operating system user account, HP-UX, GFUX125 and GFUX102 found that the host is using a shared account in the group who developed the system (KCSUSR01), moderate use of shared accounts pose risk to the effectiveness of the monitoring system because it cannot be verified, return it in case of malfunction occurred due to the user account that is shared. The user account should be given of the individual officers clearly. In order to determine the responsibility for the use of personal user account and cancel the central user account sharing. There are 7 legal services network that has security risk.From a review of network services enabled on the machine hosting GFUX102 and GFUX125 found that the service is being used on a network that has a security risk because it is not encoded as follows:• Telnet• Ftp• Moderate Tftp service on a network that does not have encryption, pose a risk to the security of information technology, for example, has been capturing and stealing passwords should have to suspend services on a network that has a security risk by using the network services that are Secure, encrypted FTP Secure Shell and as a substitute.In case of need to use the task should suspend service on a network that has a security risk through the public network. Technical control – Oracle database management system.8 there is no enforcing password policies and password has not been changed, that is the default password on the system installation.From the review to define and enforce password policies database management system Oracle found that currently do not have to define and enforce password policies to control security and user accounts. In addition, the review of available user account password that is installed with database management systems. I found that there are a number of user accounts, user accounts, 5 that is installed with database management system does not have to change their password from the default values. In the following ways:• SYS• SYSTEM• OUTLN• DBSNMP• Highest non-PERFSTAT define and enforce password policies pose a risk to the security of information technology, for example, the user may not assign a password with sufficient complexity and change your password regularly. To prevent guessing passwords from malicious users or intruders system.In addition, the password for the user account that installed with the database management system is a password that is known to be common. To keep the password installed with the system, causing a risk of access to the user account, group by not allowed. Should be set and enforce password policies to prevent risks to the information technology security by implementing password policy should include the following policy.• The length of the password: 6-8.

3. No define and enforce password policies
based on a review to define and enforce password policies HP-UX operating system and server GFUX102 GFUX125 find that there are no set and enforce password policies. To control and secure user accounts. Such efforts into the system by those who are not authorized by guessing the password of an account that does not use a password that is complex enough height to not set and enforce password policies pose. risk and safety technology. For example, users may not carry a password that is complex enough, and change passwords regularly. To prevent password guessing of compromise or intruder system. Should be established and enforced password policies to protect vulnerable to security technology. The password policy should include the following policy
•. Password length: 6-8 characters
• Lifetime password: 60-90 days
• lifetime of a minimum of 1 day
• Use password protection, repeat 8-12 times
• a. disabling the password if the password is correct: 3-5 4 are allowed to log on with a user account and Root directly from audit to determine the safest way to enter the operating system. The Root account in the file / etc / securetty. And history of the Last account found to be authorized to use the account to access the operating system directly Root medium. Allowing access to the operating system using Root account directly through channels such as Telnet pose a risk to security information such as passwords are intercepted as communication channels are unencrypted. The administrator of safety can not be traced back to the administrators and their user account Root should carry the channel is safe for the user accounts Root using. Protocol that is safe Including forcing users to perform user authentication is normal before. And the change of the user Root by using the Switch user (SU) to be able to trace back the staff worker you are a user account Root in that period. said 5 With an account that has not been used and still remain on the operating system from the review list of user accounts on the operating system HP-UX find an account that is not in use, hold on. Login GFUX102 User accounts that are not in use, the outstanding 18 account GFUX125. User accounts that are not in use, the outstanding 12 account detail in Appendix 1. The average account balance is not already in use on the system causing the risk. attack Based on such an account. Since no responsibility and difficult to detect. There should be a review of the list of user accounts on the system regularly. And suspend or terminate the accounts of users who do not use, then 6. The user account sharing among developed from a review of the account of the operating system HP-UX server GFUX102 and GFUX125 find a user account sharing in groups. The system development (KCSUSR01) Average user account sharing pose risk to the effectiveness of the monitoring system, since it can be traced back to the case of failure of the active user accounts. the sharing. Should be given an account of individual officers clearly. To define the responsibilities of work and personal accounts. And cancel the account, having shared 7. The use of network services at risk the safety of the review to enable network services over a GFUX102 and GFUX125 found that the use of network services with risk. The security because no coding follows • Telnet • Ftp • TFTP moderate use network services with no encryption. Pose a risk to security technology. Such as being intercepted and stolen passwords. Should be suspended service networks are vulnerable to security and network services by using an encrypted Secure Shell and Secure FTP as an alternative if required. Should suspend service network security at risk over a public network control technique - RDBMS Oracle 8 does not enforce a password policy. And does not change the password as the password from the initial installation of the review to define and enforce password policies Oracle database management system that is not set and enforce a password policy. To control and secure user accounts addition, based on a review of the password of the user account that is equipped with a database management system. Found to account for 5 accounts are now equipped with a database management system did not change the password from the default, the following • SYS • SYSTEM • OUTLN • Dbsnmp • PERFSTAT height not defined. and enforce password policies pose a risk to security technology. For example, users may not carry a password that is complex enough, and change passwords regularly. To prevent password guessing from an unauthenticated attacker or system except that the password of an account that is equipped with a database management system is a password that is known to the public. Static password that is installed with the system causing the risk of using the account prior permission should be established and enforced password policies to protect vulnerable side. Information Technology Security The password policy should include the following policy •. Password length: 6-8 in.

3 not defined and enforced password policy
.From the review to define and enforce password policy server and operating system HP-UX GFUX102 GFUX125 found that no current to define and enforce policies password. To control and security, user accountHigh, not define and enforce password policies pose a risk to security information technology Users may not run as password change password sufficiently complex and regularly.There should be defined and enforced password policy to prevent the risk of the security information technology. By password policy should consist of the following policy
.- the password length: 6-8 character
- life password: 60-90 day
* Minimum password lifetime: 1 day
* Protected password again: 8-12 times
* Suspension use password password is incorrect: the case 3-5 time




.4 are allowed to login using your user account Root directly
.From the Review Determination of safe passage to the operating system by the user account Root in data file / etc / securetty. And the usage history user accounts from the order Last was found to be allowed to use the user account Root.Medium, allowing the log operation using user account Root directly through channels such as Telnet pose a risk to security information. Such asIncluding the administrator security cannot be traced back as staff administrator any user account user. Root should the safe channel for use by Protocol Root user account.Forcing users to process including user authentication is normal. Operations and turning right is Root users by using command Switch user (SU).In the period Root
.5 have a user account that has not been used to hold on the operating system
from review on operating HP-UX list of user accounts. Found that the user account inactivity and hold on systems
.GFUX102 user account inactivity and outstanding 18 user account
GFUX125. User account inactivity and outstanding 12 user account
see details in Appendix 1.Intermediate account inactivity and hold on systems pose a risk in the intrusion detection system. Based on the user account Since there is no responsible and difficult to check.By and suspended or cancelled account inactivity and
.6 use user account together in groups, the development of the system.Review the list of user accounts from the operating system and HP-UX server GFUX102 GFUX125 found that use user account together in a developer system. (KCSUSR01) medium.Should set the user account of individual staff clearly. To determine the responsibility to use personal account And cancel the account sharing
.7 is active service on the network with the risk the safety cable.From review the enabled service on the server and network GFUX102 GFUX125 found that use the services network security risk because no coding as
* Ftp Telnet
-
.Education Tftp medium, use the network service, no coding. Pose a risk to security technology. Such as being caught and steal passwords.Such as Secure and Shell Secure FTP compensation
.