IT Policies - Accounts

UNDER CONSTRUCTION

Purpose

To define the function and use of accounts for the MRI Windows Domain.

Scope

This policy applies to all account holders within the MRI Windows Domain.

Policy

Anyone with a Penn State Access Account (i.e., a Penn State user) within the Materials Research Institute community who requests use of services within the MRI Windows Domain requires an MRI Windows Domain Account.

Usernames

A user's username for a domain account will be the user's Penn State Access Account username (i.e., xyz123). By using the Penn State format as a standard, the MRI IT Group is better able to audit accounts to determine when a user is no longer associated with the University. As such, domain accounts will only be created after the Penn State Access Account has been created.

Passwords

Prior to July 1, 2007, passwords for domain accounts have the following characteristics:

Maximum password age = 180 days
Minimum password age = 14 days
Minimum password length = 6 characters
Enforce password history = 4 passwords remembered
Password must meet complexity requirements = Disabled
Account lockout policy:
- Account lockout duration = 10 minutes
- Account lockout threshold = 5 invalid logon attempts
- Reset account lockout counter after = 10 minutes

After July 1, 2007, passwords for domain accounts have the following characteristics:

Maximum password age = 90 days
Minimum password age = 14 days
Minimum password length = 8 characters
Enforce password history = 4 passwords remembered
Password must meet complexity requirements = Enabled
- Not contain significant portions of the user's account name or full name
- Be at least six characters in length
- Contain characters from three of the following four categories:
  - English uppercase characters (A through Z)
  - English lowercase characters (a through z)
  - Base 10 digits (0 through 9)
  - Non-alphabetic characters (for example, !, $, #, %)
Account lockout policy:
- Account lockout duration = 30 minutes
- Account lockout threshold = 3 invalid logon attempts
- Reset account lockout counter after = 30 minutes

Users are reminded of upcoming passwords changes upon logon within 14 days of a password change. In addition, a custom script scans domain accounts every morning and sends an e-mail reminder to those users whose passwords will expire within 14 days.

Per University policies, password are not to be shared among users. A distinct advantage of the MRI Windows Domain is that users can grant access to other users without the need to share passwords. In this manner, users are able to allow other users the access required without violating the University's password policy. Other University policies cover access to and the use of Institutional Data and privacy of files; it is the responsibility of the user granting access to ensure that granted access does not violate University policies.

Account Closing/Auditing

Users are required to inform MRI IT Staff when leaving MRI or Penn State. MRI IT Staff will work with the user to agree upon a date on which the user's domain account is disabled and deleted from the domain.

On a monthly basis, MRI IT Staff will audit the user accounts within the domain, disabling and deleting those accounts that no longer have a matching record in the Penn State LDAP directory.

Definitions

Account: An account is the combination of a username and password for a distinct user.
Username: The public portion of a user's account. MRI Windows Domain usernames are identical to a user's Penn State Access Account, taking the form xyz123.
Password: The private portion of a user's account known only to the user.
Maximum password age: The maximum number of days for which a password is valid. Exceeding this time requires the user to change the user's password the next time the password is used.
Minimum password age: The minimum number of days until a password can be changed. This setting is used to prevent users from quick-cycling passwords.
Minimum password length: The minimum number of characters acceptable for a password.
Enforce password history: The number of previous passwords stored. This setting ensures that new passwords are selected each time passwords are changed.
Account lockout duration: The amount of time for which an account is locked out when the lockout threshold is exceeded.
Account lockout threshold: The number of attempts to enter the correct password before the account is locked out of the system. This setting is used to decrease the success rates of brute-force style account cracking techniques.
Reset account lockout counter after: The amount of time after which the account lockout counter is reset. Used in conjuction with the account lockout duration.