Good Luck. The configuration of user accounts intended for use in managing automated tasks introduces some interesting security flaws, particularly from the point of view of penetration testing. If he moves to a job elsewhere in the company and no longer has a requirement for access to payroll data you can take him off the ACL or disable his app account. With any luck, you could have the ‘guest’ users run the batch file themselves after they logon and get you out of the daily hassle. I appreciate any commentary on this subject, and yes I’ve used the search feature on the forum already. I will leave this open for security misc and OS individuals for comments as it applied to both AD accounts and certain applications. Without hearing directly from the individual that is reluctant to create the accounts, I do not understand the hesitancy. I don’t see how having a generic user account is a security hole on a network and how it violates SOX. When IT teams fail to properly manage these accounts, it leads to significant cyber security risk. Guidelines for using generic/role accounts. Move to individual rather than generic accounts . Users should submit a TS Job Request when requesting a generic network account for your area. This award recognizes someone who has achieved high tech and professional accomplishments as an expert in a specific topic. b) Create a script or batch file that could copy the necessary file(s) automatically. Generic accounts increase the risk associated with accountability. Local generic accounts are permitted. 1.3.2 For shared or generic accounts a process must be deployed and documented to detail Sometimes the particular online tool leaves no other option. Access to generic user accounts Like a lot of other application software, SAP comes with a number of generic accounts. A local generic account is created on the workstation itself. You can see how much of a nightmare this is going to be to setup everything whenever a user logs into the PC. I could see potential operational control issues if the generic access allowed a competitor to walk in and read confidential information. Looks like your connection to Sarbanes Oxley Corporate Governance Forum was lost, please wait while we try to reconnect. There are no detailed specifics on a situation like this, as SOX 404 is written at a high level and requires internal regulation by the company (with verification of SOX compliancy by external auditing firms). Only users with topic management privileges can see it. I believe this might be ‘better security practice’ as it establishes individualized accountability and might allow users better individual D-and-S profile controls and customizations. As network security depends on personal accountability and generic network accounts do not provide this, generic network accounts are forbidden. These generic accounts are setup with Domain Guest privileges in Active Directory and as such whenever they log out all changes made to the profile are immediately deleted from the hard drive, this is a feature of ‘Domain Guests’ and you can read about it on Microsoft.com. for the accounts; The owner must ensure that all users abide by the UCL Computing Regulations. no shared logons). Do you already have controls over who enters the warehouse and would even have access to the terminals? NoScript). However, COBIT 4 helps provide some SOX IT compliancy guidelines, and could be researched as a possibility. The solution, according to Microsoft, is to add the users to the ‘Domain Users’ security group in Active Directory. I don’t see how having a generic user account is a security hole on a network and how it violates SOX. While I see no major issues with what’s being proposed, below are some ideas that may or may not be feasible for your environment: As I see it, if the purpose of the generic names are just to allow read-only access, then I do not see a SOX issue as data cannot be changed. In my opinion (with my network administrator hat on), the best practice would be to give all individuals their own logon and password. 2. Still, this may not be feasible if there are numerous people, application software compatibility issues, or the environment is too dynamic to implement these controls, etc. Discover and profile to give greater control Here are two that may or may not be of value: Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. Evaluate moving to non-password security control systems , like biometrics, smart cards, or two factor authentication, It might be worthwhile to ‘walk this through’ with either Internal Audit or your external IT auditors to get their input, alternatives, or blessings. Often, these accounts will have the same password across the platform or organizations. I will leave this open for security misc and OS individuals for comments as it applied to both AD accounts and certain applications. Without reading the entire SOX manual I’d like to pose the following and maybe assist in directing me to a solution: The user is only granted access to what they need, for everything else they will get ‘Access Denied’ so from an auditing point of view our inherent security should be good enough. If you have a low privilege account who all they can do is “read” aka view files or records in an application or on a file system – where is the risk in allowing them a generic … Guidelines for using generic/role accounts. If you wish to use a role account for email collaboration, you should use a shared mailbox. and current employee has a network account. However if he shares an account with other users, unelss you disable the team account (which may cause issues as others who use that account do have genuine need for access still) then he could still gain access via that account, unless the password changed. Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. 1.3.1 Shared or generic accounts are not permitted unless a valid academic or business, justification has been assessed and approved via the risk management process. In a business situation under Sarbox (I work at a private company not subject to Sarbox) it would make sense to me that all users have their own logons (i.e. Some of these are discussed below. It will also affect the transparency and auditing trail that corresponds with the account. At that size and scale, service accounts become too numerous to be managed manually, leaving them vulnerable to compromise and exploitation. This topic has been deleted. As a result, your viewing experience will be diminished, and you may not be able to execute some actions. Everything your solution provider does should be about reducing the interfaces and administration required. Remember, it’s more than just user passwords. We use a very old piece of software for viewing drawings which needs to have certain files created in the profile directory (eg; C:\Documents and Settings\User1\Special Directory\Special File.file), this application will not function without the presence of this special file in a particular folder within the users profile.