Re: password expiration policy for admin and system accounts ?

From: Herb Martin (news_at_LearnQuick.com)
Date: 10/20/05


Date: Thu, 20 Oct 2005 12:51:38 -0500


"JJ" <johnny@tamtam.com> wrote in message
news:cQN5f.9164$nk2.2165@trnddc07...
> Thank you for your reply.
>
> I would agree about the admin account, but what about system/service
> accounts used by different systems ?
>

System/service accounts SHOULD be marked as
never expiring BUT they should also have passwords
that "no one can remember".

My rule: If I can remember the service password for
longer than a couple of minutes it is WAY too easy.

These should be upwards of 16-20 characters and follow
multiple rules for complexity/randomness.

It is one of the cases where I actually build them in a
notepad and then paste them into the several places they
are required (define the password, tell the service about it,
etc.)

-- 
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eSdMWmQ1FHA.3376@TK2MSFTNGP14.phx.gbl...
>> "JJ" <johnny@tamtam.com> wrote in message
>> news:pNz5f.9585$oy3.4278@trnddc04...
>> > Our auditors are objecting to our having Domain Administrator and 
>> > domain
>> > system accounts with passwords that never expire.
>>
>> A generally legitimate objection.
>>
>> > Yes, we change some of these passwords from time to time, but they're
>> > normally set to never expire.
>>
>> And why should Admins with far more privileged and therefore
>> DANGEROUS accounts be allowed practices less safe and more
>> lazy than ordinary users?
>>
>> > We are wondering about how other companies do it, since we've never
> heard
>> > of
>> > any IT Dept. that had such a policy, and we think the auditors are 
>> > being
>> > unreasonable -- forcing password expiration on such accounts could be a
>> > logistical nightmare as it would cause critical services to stop
> running.
>>
>> No, they are being reasonable.
>>
>> Perhaps you issue is that you are using the same Admin
>> account for many admins?
>>
>> Each admin should have a separate account for admin
>> purposes (so that auditing is specific.)
>>
>> > We're not that big, but we do have about 30 servers and 200 users to
>> > support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
>> > resource servers.
>> >
>> > Please post your experiences and opinions.
>>
>> Do it correctly and safely, and thank the auditors for encouraging
>> safe practices.
>>
>> -- 
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>
>>
>
>