Re: password expiration policy for admin and system accounts ?

From: Herb Martin (news_at_LearnQuick.com)
Date: 10/20/05


Date: Thu, 20 Oct 2005 12:51:38 -0500


"JJ" <johnny@tamtam.com> wrote in message
news:cQN5f.9164$nk2.2165@trnddc07...
> Thank you for your reply.
>
> I would agree about the admin account, but what about system/service
> accounts used by different systems ?
>

System/service accounts SHOULD be marked as
never expiring BUT they should also have passwords
that "no one can remember".

My rule: If I can remember the service password for
longer than a couple of minutes it is WAY too easy.

These should be upwards of 16-20 characters and follow
multiple rules for complexity/randomness.

It is one of the cases where I actually build them in a
notepad and then paste them into the several places they
are required (define the password, tell the service about it,
etc.)

-- 
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eSdMWmQ1FHA.3376@TK2MSFTNGP14.phx.gbl...
>> "JJ" <johnny@tamtam.com> wrote in message
>> news:pNz5f.9585$oy3.4278@trnddc04...
>> > Our auditors are objecting to our having Domain Administrator and 
>> > domain
>> > system accounts with passwords that never expire.
>>
>> A generally legitimate objection.
>>
>> > Yes, we change some of these passwords from time to time, but they're
>> > normally set to never expire.
>>
>> And why should Admins with far more privileged and therefore
>> DANGEROUS accounts be allowed practices less safe and more
>> lazy than ordinary users?
>>
>> > We are wondering about how other companies do it, since we've never
> heard
>> > of
>> > any IT Dept. that had such a policy, and we think the auditors are 
>> > being
>> > unreasonable -- forcing password expiration on such accounts could be a
>> > logistical nightmare as it would cause critical services to stop
> running.
>>
>> No, they are being reasonable.
>>
>> Perhaps you issue is that you are using the same Admin
>> account for many admins?
>>
>> Each admin should have a separate account for admin
>> purposes (so that auditing is specific.)
>>
>> > We're not that big, but we do have about 30 servers and 200 users to
>> > support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
>> > resource servers.
>> >
>> > Please post your experiences and opinions.
>>
>> Do it correctly and safely, and thank the auditors for encouraging
>> safe practices.
>>
>> -- 
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>
>>
>
> 


Relevant Pages

  • Re: password expiration policy for admin and system accounts ?
    ... System/service accounts SHOULD be marked as ... >>> system accounts with passwords that never expire. ... >> Perhaps you issue is that you are using the same Admin ...
    (microsoft.public.win2000.security)
  • RE: local admin account password
    ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
    (Focus-Microsoft)
  • RE: local admin account password
    ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • local admin account password
    ... Only use domain accounts so delete the local ones. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ... This way you can easily have a different random passwords for the admin ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • Re: Admin vs limited user account
    ... properly with limited user account (it does work fine with admin users). ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files ...
    (microsoft.public.windowsxp.security_admin)