Username/Password Security Policies

Update on Username / Password Policies
August 2020 and beyond

Thank you for reading.  First of all, we must assure our customers that this bulletin is not a warning of any kind and not a notice of any compromised data.  Instead, this is a proactive policy change to combat the growing number of malware attacks gaining a foothold in the industry, and how they relate to your personally-managed hosting or virtual server accounts. We already take the necessary precautions at the hardware and software level on our shared server platform, and we keep up the data centers where the equipment is housed to ensure they are also following industry best practices.  What follows is the procedure we have implemented in order to eliminate some of the default out of box behavior in both Windows and Linux, that may easily be exploited if left unchanged.

  • Both Windows and Linux feature a built in account by default which allows complete access to the entire server instance.  Under Linux, the username is ROOT, and under Windows, the user is ADMINISTRATOR.  Prior to this new policy, we had simply encouraged, and set for our users, long, complex passwords, and kept the username the same. 
     
  • Effective immediately when deploying a new server instance, we are disabling the default root or administrator accounts on respective operating systems, and creating randomized account names based on part of your e-mail address that will allow you in as a root or administrative user.  We will also be creating one account each that provides access to the machine but does NOT allow root or administrative tasks to be performed.
     
  • EXISTING CUSTOMERS can contact us to have this new username/password structure applied to their machines, if they need assistance with it.  However, as an administrative or root user of your server, you may implement this policy yourself if you possess the technical know how or at least understand the reason for these changes but have not yet implemented them.
     
  • What we we will encourage going forward is that the user/manager of the virtual server use the NON Administrator / Standard User account for daily use, and elevate when necessary to perform administrative tasks.   Windows will prompt automatically for operations that require elevation, asking for the (now new) administrator password, while Linux will simply the block the task until the process is started again using the "super user" command, and the correct root username and password is supplied.   
     
  • Whenever possible we will also be randomizing the access port that SSH (Linux) and Remote Desktop (Windows) listen on.  We realize that this may require some changes to your own infrastructure or access clients, and we will work with you to the best of our ability to provide support for this.
     
  • Passwords on the administrator or root accounts will be set to expire every 60 days by default.  While you can change this policy we ask that you keep it in place as an extra level of protection in case your passwords are somehow compromised and leaked.  Non-administrator or root accounts will have a password that never expires as long as the server remains active.
     
  • This new policy means that we as support staff will not be able to check your server at the software level unless explicitly given permission to do so.  We can still perform remote reboots and reinstallations to recover a non-working system, after which this new username/password policy will be enforced.  

 

If you have any questions concerning this or other security policy issues, please contact us.  We remain available to answer your questions, and guarantee a response in 8-12 hours or less.