IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.15 Secure log-in
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Use should be made of a log-in program or the relevant options should be
activated so that the following measures can be taken:
- The number of unsuccessful log-in attempts is restricted.
- After each unsuccessful log-in attempt, the waiting time until the next login
prompt will increase. After a certain number of unsuccessful attempts,
the account and/or terminal will be blocked. It should be noted that the
administrator must not be locked out by this measure; his continued access
from the console must be ensured (cf. also S 1.32 Adequate siting of the
console, devices with exchangeable data media, and printers).
- When logging in, the user is informed of the time of the last successful login.
- When logging in, the user is advised of unsuccessful log-in attempts. This
information might be repeated at the time of several subsequent log-ins.
- When logging in, the user is informed of the time of the last log-out. Here,
a difference is made between log-outs to an interactive log-in and log-outs
to a non-interactive log-in (log-out of background processes).
- The additional use of one-time passwords is recommended for log-in via
networks with non-encrypted transmission of passwords (also refer to S
5.34 Use of one- time passwords).
Additional controls:
- Have the users been instructed to check the time of the last successful login
for plausibility?
- How often are unsuccessful log-in attempts reported to the user?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000