S 4.17 Blocking and erasure of unneeded accounts and terminals

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Accounts which are not used for an extended period of time should be blocked and subsequently deleted. If any files which can no longer be assigned to an existing user entry remain after accounts have been deleted, there is a risk that these files could later be incorrectly assigned to configured users.

When a user is removed, the relevant entries in /etc/passwd, /etc/group and the home directory of the user have to be deleted in Unix. Care should also be taken to ensure that other user entries in files such as /etc/hosts, shadows etc. are deleted. Before this is done, the data in the home directory should be backed up. The user concerned should be informed of the blocking and, in any case, prior to deleting an account. When deleting an account, care must also be taken to locate any files of a user which are not contained in their home directory. This can be done, for example, using the program find with the option -uid. Such files must be deleted or assigned to other users. Care must also be taken to delete any processes currently running and any jobs to be processed, e.g. in crontab under Unix.

Similarly, terminals that are not used for a prolonged period of time should be blocked and subsequently removed.

Under Unix, logins predefined by the system (e.g. sys, bin, adm, uucp, nuucp, daemon and lp) which are not required must be blocked by entering e.g. "LOCKED" in the corresponding password field in the file in /etc/passwd.

If a user to be newly installed only needs their account for a limited period, it should be set up for a limited duration.

It can be advantageous to set up all accounts for a limited time only as a rule and extend the limit at regular intervals (e.g. annually) when necessary.

If the absence of a user of a local network is foreseeable (e.g. due to vacation, illness, temporary assignment, etc.), their account in the network server should be blocked for that period so that working with their user ID is precluded during that time. Every user should inform the network administrator of extended absences.

Review questions:

• Are there regulations for identification, deletion and blocking of accounts that are not used for a certain time and/or are no longer required?
• Is there a regulation for assigning all files and directories of blocked and deleted accounts to other users or deleting them?
• Is there a regulation for setting a time limit for accounts and access information?