Below are some some additional access control strategies that are commonly in use.
- Limit access to networked systems by IP. Example would be if you have a database server online, does all of the internet have a need to access that system? Or does really only your webserver(s) need access to it?
- In the case you don’t limit access by IP, you should at least have a system to block brute force attacks. If you have a system online and don’t restrict access after x attempts, then an attacker can spend an unlimited amount of time trying to break into your system by brute force guessing an account.
- Log out of the system when you are done and don’t just close the browser window. If an attacker had access to your machine for whatever reason, they would be able to instantly gain access to those same systems without even knowing your password because you were still logged into it!