Without effective access controls it becomes difficult -- if not impossible -- to ensure the confidentiality, integrity and availability of IT services. Part of the challenge in controlling access is deciding how to design the process.
The IT Infrastructure Library, or ITIL, provides a best-practice reference for the access management process. Essentially, the process ensures that access to IT services is properly managed throughout the lifecycle of the service and the term of the employee. To understand this process a little bit better, let's look at some of the forces that make it necessary to control access to IT services.
Important factors for user access management
When creating an access management process for Windows, here are some questions to consider:
- What regulations are applicable and what are their access control requirements?
- What contracts does the organization have and do any of them spell out access control requirements?
- What does senior management expect in terms of managing access?
- What are the current access management capabilities of existing services such as the Windows domain and key applications?
Once the requirements have been established, Windows managers should develop a formal means for receiving access requests. Verbal requests are no longer acceptable. Because proper approvals and audit trails must be put in place to meet compliance requirements, access levels cannot be determined on the fly.
Windows managers should create and implement an access request form. Using a standardized form will provide an audit trail because every new permission and change request will be documented. It will also ensure there is a business need because every user must have a manager and a department head review and sign off on the request.
Defining user authentication methods
Next, a user authentication method must be determined. Some Windows shops require users to enter IDs and passwords at the Windows login. This unique user information is then verified against the Windows domain.
Although Windows supports a number of password complexity and aging controls, users are still going to write down passwords that are difficult to remember. That defeats the intent of password security policies. If this situation arises, strongly consider adding extra layers of security, such as token generators and biometrics for even more protection.
Access management also requires managers to monitor changes in user status. These changes include when users switch departments, retire, go on leave or are terminated. To ensure that the IT staff is aware of departmental and user status changes, Windows managers should do the following:
- Make sure the human resources department includes IT as part of its process for new hires and transfers as well as for people leaving the organization.
- Stay in contact with the payroll department because the staff there is up to date on terminations and transfers.
- Obtain a copy of the monthly change-in-status report or employee transfer report. These types of reports will help ensure that all changes and any applications with internal user ID and password management modules are accounted for.
By following these steps, Windows managers can successfully create user access controls so that only authorized employees have access to the Windows domain.
George Spafford is a principal consultant with Pepperweed Consulting and helps IT organizations in the areas of technology and process implementation. Spafford is an experienced practitioner in many aspects of IT operations, including strategy and audits. He is a speaker on topics that range from security and IT governance to IT process improvement. He is the co-author of The Visible Ops Handbook.
This was first published in March 2008