Re: password policy with regard to application userid
- From: "Ali, Saqib" <docbook.xml@xxxxxxxxx>
- Date: Thu, 31 May 2007 10:13:16 -0700
It depends on the application, and the level of privileges that the
account has and also the auditing of the account usage.
If you regularly auditing the account, and it only has a user level
privileges, then once a year password change should suffice.
One other thing to check is how the application the using the account.
As long as the application is kerberos enabled, and is NOT
transmitting the username/password on the network, then you don't need
to worry about somebody sniffing out the password.
For e.g. ADSI calls from IIS do not transmit the username/password
over the network, so using a account with more privileges to run a web
application is not an serious risk.
saqib
http://www.full-disk-encryption.net
On 31 May 2007 07:30:01 -0000, u.bodalina@xxxxxxxxx
<u.bodalina@xxxxxxxxx> wrote:
What would be a reasonable password policy with regard to userids used in applications?
For example Business Objects needs a system level userid to intergrate with active directory. What would the security implications be if this userid's password wasn't changed?
Standard users follow a policy in which they have to change their password every two months.
Thanks
--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net
- References:
- password policy with regard to application userid
- From: u . bodalina
- password policy with regard to application userid
- Prev by Date: RE: CCSP Self-Study
- Next by Date: Re: Brute force attacks
- Previous by thread: password policy with regard to application userid
- Next by thread: Re: password policy with regard to application userid
- Index(es):
Relevant Pages
|
