5.1 Identity Management
5.1 Identity Management
-
User Lifecycle Management:
-
a. Provision unique identifiers for all users and devices.
-
b. Deactivate user accounts after 1 year of inactivity.
-
c. Disable local administrator accounts after 90 days of inactivity.
-
d. Deactivate staging accounts (e.g.,
installadmin) after 7 days.
-
-
Local Administrator Password Rotation (LAPS) (Applies to Endpoints):
-
e. Rotate
dtcadminuser password at system boot, user login, and weekly intervals. -
f. Rotate built-in Administrator password at system boot, user login, and weekly intervals.
-
-
Password Policy:
-
h. Adhere to the default password policies established by each identity provider (e.g., Active Directory).
-
i. Collaborate with clients to develop customized password policies tailored to their specific security requirements and compliance obligations.
-
- Multi-factor Authentication (MFA) Protection
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- SMS is not recommended but can be used if only one available.
- One Time Passcodes from apps like Microsoft Authenticator are recommended.
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- Anomaly & Malicious Behavior Detection:
- k. Review and analyze audit and event logs in order to respond to security incidents.
-
Incident Response Integration:
-
l. Deploy light SIEM integration into identity environments.
-
m. Ensure continuous monitoring and analysis of identity activities to detect and respond to potential threats.
-
n. Facilitate collaboration between SIEM solutions and DTC to coordinate incident response and remediation efforts.
-
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Provision unique identifiers for all users and devices. | DTC or Client Procured Identity Management Systems (e.g., Active Directory, Azure AD), Client Policy |
| b | Deactivate user accounts after 1 year of inactivity. | NinjaRMM, Microsoft Windows PowerShell, SaaS Alerts |
| c | Disable local administrator accounts after 90 days of inactivity. | NinjaRMM, Microsoft Windows PowerShell |
| d | Deactivate staging accounts (e.g., installadmin) after 7 days. |
NinjaRMM, Microsoft Windows PowerShell |
| e | Rotate dtcadmin user password at system boot, user login, and weekly. |
NinjaRMM, Microsoft Windows PowerShell |
| f | Rotate built-in Administrator password at system boot, user login, weekly. | NinjaRMM, Microsoft Windows PowerShell |
| h | Adhere to default password policies of identity providers. | Configuration of identity provider settings, Regular policy reviews |
| i | Develop customized password policies with clients. | Consultation sessions, Quarterly business reviews, Policy development frameworks |
| All users accessing, where available per application, must have multi-factor authentication turned on. | Consultation sessions, Client application choice, DTC enabled for Entra ID & Google Workspace by default. | |
| Review and analyze audit and event logs in order to respond to security incidents. | SaaS Alerts, Blumira Free Edition |
Deploy light SIEM integration into identity environments.
SaaS Alerts, Blumira Free Edition m Ensure continuous monitoring and analysis of identity activities to detect and respond to potential threats. SaaS Alerts, Blumira Free Edition, HaloPSA nFacilitate collaboration between SIEM solutions and DTC to coordinate incident response and remediation efforts.
SaaS Alerts, Blumira Free Edition, HaloPSA