The Privilege Policy
On most metering systems, if not all, there will be several user accounts configured for the system. Each of these user accounts is assigned different levels of privilege, to enable a logged-on user the ability to perform only the functions which they should be able to do.
Within various metering systems supplied by Swinton Technology, user accounts are broken into four separate groups of privilege, Operator, Engineer, Technician and Admin. These accounts only grant permissions that the user requires to perform relevant tasks to their role, which is known as the ‘principle of least privilege’. This ensures that users cannot perform tasks and functions above their job requirements. The ‘admin’ account is generally the most important account on a system as this is the highest level in terms of privileges and can usually perform any task on the system.
Utilising individual user accounts and privileges is an excellent way of maintaining traceability on a system and keeping track user activity. If an incorrect action has been performed on the system, you will be able to view which user enforced the action.
Making use of the least privilege policy across user accounts can prevent users from inadvertently performing tasks which they are not authorised, or competent to perform. A priority should be made to ensure that access to these accounts is restricted to authorised personnel only. If an unauthorised user gains access to an ‘admin’ account there is then a large number of risks and threats to systems, data, personnel and the environment.
How can these risks be prevented?
Following the steps below will majorly reduce threats to your system:
- Perform periodic audits of user accounts, thus ensuring no rogue accounts access the system.
- Ensure old or unused accounts are disabled or removed from the system completely.
- Enforce a strong password policy on user accounts, made up of alphanumeric, upper and lowercase characters and symbols.
- Only grant user accounts the lowest level of privilege required for them to perform their functions (least-privileges).
- Force user accounts to be auto logged out after a period of inactivity.
- Remove user accounts from the local administrator group.
- Enforce User Account Controls (UAC).
- Ensure default passwords and configurations are changed.
- Provide staff with user awareness training, to educate them on potential cybersecurity threats.
- Create cybersecurity policies for operators and engineers to follow.
For help with implementation or useful recommendations for your system, get in touch with our support team at support@swintontechnology.com