RFC1244 - Page 96

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


           9800 Savage Road
           Ft Meade, MD 20755-6000

           CSC = Computer Security Center:
           an older name for the NCSC

           NTISS = National Telecommunications and
           Information Systems Security
           NTISS Committee, National Security Agency
           Ft Meade, MD 20755-6000

   [CSC]
           Department of Defense, "Password Management Guideline",
           CSC-STD-002-85, 12 April 1985, 31 pages.

           The security provided by a password system depends on
           the passwords being kept secret at all times.  Thus, a
           password is vulnerable to compromise whenever it is used,
           stored, or even known.  In a password-based authentication
           mechanism implemented on an ADP system, passwords are
           vulnerable to compromise due to five essential aspects
           of the password system: 1) a password must be initially
           assigned to a user when enrolled on the ADP system;
           2) a user's password must be changed periodically;
           3) the ADP system must maintain a 'password
           database'; 4) users must remember their passwords; and
           5) users must enter their passwords into the ADP system at
           authentication time.  This guideline prescribes steps to be
           taken to minimize the vulnerability of passwords in each of
           these circumstances.

   [NCSC1]
           NCSC, "A Guide to Understanding AUDIT in Trusted Systems",
           NCSC-TG-001, Version-2, 1 June 1988, 25 pages.

           Audit trails are used to detect and deter penetration of
           a computer system and to reveal usage that identifies
           misuse.  At the discretion of the auditor, audit trails
           may be limited to specific events or may encompass all of
           the activities on a system.  Although not required by
           the criteria, it should be possible for the target of the
           audit mechanism to be either a subject or an object.  That
           is to say, the audit mechanism should be capable of
           monitoring every time John accessed the system as well as
           every time the nuclear reactor file was accessed; and
           likewise every time John accessed the nuclear reactor
           file.




Site Security Policy Handbook Working Group                    [Page 96]