Administrator password policy management (including reset for forgotten passwords) for enterprise scale computing having a UNIX, Linux and Windows infrastructure

The theme of this page is to review the need for administrator password policy management (where administrator implies terms such as root and superuser), including reset for forgotten passwords in enterprise scale computing environments having a Unix, Linux and Windows infrastructure. In such facilities, the need may scale all the way from SUSE root password management to a policy covering the administrator password for an entire network of systems in which synchronization is essential.

Administrator password management policy presents a significant challenge to enterprise scale computing using Unix, Linux and Windows servers. The intended "open-ness" has resulted in administrators (aka the superuser or root) having complete freedom to roam within such systems, even after measures have been taken to guard and enforce their use of passwords. Application users are more tightly controlled, and their problems are more connected with insecure, personal measures to avoid forgotten passwords and the the consequences of requesting a password reset in the event that they do forget. Against all advice, users write their passwords on sticky notes which are all too easily discovered by malicious agents.

Implementing password policy management for administrator, superuser, and root accounts, plus reset for forgotten passwords by means of COSduty-SSA

Although it may not be immediately obvious to technical IT personnel, password policy management, in particular in connection with system administrators, superusers and others who access the root account, is of vital importance in demonstrating an organization's compliance with recent US and European legislation (Sarbanes-Oxley in the USA and similar European Directives) on corporate governance.

The essence of the legislation is to protect the integrity of the financial information provided to the public. This is difficult to prove when privileged IT users, typically system administrators, have unlimited access rights to critical IT systems. Unlimited access (by virtue of knowing the superuser password) has to be controlled in several ways, the first being the management of policy and passwords relevant to the process of logging on to the account. In this context policy must cover all the areas in which passwords may be vulnerable, particularly where personnel take measures to avoid forgotten passwords – for example, by writing them down – so as to avoid the inconvenience of a reset password. This applies to systems of all sizes, from the owner of the SUSE root password (on Linux systems) to the top system administrator of many resources.

A software product of particular value in this area is COSduty-SSA one of whose functions is widespread and thorough control of all aspects of passwords and the login process. Another of its main functions is to limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance.

In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.

Some details of the functionality of COSduty-SSA

COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:

• encapsulating the majority of privileged routines in menu/forms driven procedures
• enforcing administrators to request privileged sessions on particular systems for particular periods of time
• allocating only that subset of commands required to carry out a requested function
• auditing all activity and reporting on those audit trails

In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the intricacies of the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualizing the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information at all levels. Alternatively, re-enter the COSduty-SSA web site and help yourself.