Re: password expiration policy for admin and system accounts ?
From: Herb Martin (news_at_LearnQuick.com)
Date: Thu, 20 Oct 2005 12:51:38 -0500
"JJ" <email@example.com> wrote in message
> Thank you for your reply.
> I would agree about the admin account, but what about system/service
> accounts used by different systems ?
System/service accounts SHOULD be marked as
never expiring BUT they should also have passwords
that "no one can remember".
My rule: If I can remember the service password for
longer than a couple of minutes it is WAY too easy.
These should be upwards of 16-20 characters and follow
multiple rules for complexity/randomness.
It is one of the cases where I actually build them in a
notepad and then paste them into the several places they
are required (define the password, tell the service about it,
-- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > > > "Herb Martin" <news@LearnQuick.com> wrote in message > news:eSdMWmQ1FHA.3376@TK2MSFTNGP14.phx.gbl... >> "JJ" <firstname.lastname@example.org> wrote in message >> news:pNz5f.9585$oy3.4278@trnddc04... >> > Our auditors are objecting to our having Domain Administrator and >> > domain >> > system accounts with passwords that never expire. >> >> A generally legitimate objection. >> >> > Yes, we change some of these passwords from time to time, but they're >> > normally set to never expire. >> >> And why should Admins with far more privileged and therefore >> DANGEROUS accounts be allowed practices less safe and more >> lazy than ordinary users? >> >> > We are wondering about how other companies do it, since we've never > heard >> > of >> > any IT Dept. that had such a policy, and we think the auditors are >> > being >> > unreasonable -- forcing password expiration on such accounts could be a >> > logistical nightmare as it would cause critical services to stop > running. >> >> No, they are being reasonable. >> >> Perhaps you issue is that you are using the same Admin >> account for many admins? >> >> Each admin should have a separate account for admin >> purposes (so that auditing is specific.) >> >> > We're not that big, but we do have about 30 servers and 200 users to >> > support. There's only 1 Win2K domain, with Exchange 2K, SQL and other >> > resource servers. >> > >> > Please post your experiences and opinions. >> >> Do it correctly and safely, and thank the auditors for encouraging >> safe practices. >> >> -- >> Herb Martin, MCSE, MVP >> Accelerated MCSE >> http://www.LearnQuick.Com >> [phone number on web site] >> >> >> >> > >