Re: password expiration policy for admin and system accounts ?

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/22/05 

Date: Fri, 21 Oct 2005 22:45:21 -0700

Poorly written apps (I guess I cannot say third-party apps in light of
your experiences with the older version of Exchange) are one, but
not the only pain point. Changing the creds used for scheduled tasks
when done is either a painful visit each machine affair, or an unsafe
let the new creds fly on the wire affair. Neither is really workable as
a frequent activity.

However, I believe both should occassionally be done, not just as
preventative, but as insurance that it is can be done (as in, when
re-acting to a compromise of such account). Any shop really does
need to know exactly where and totally all such exposures in a doc
kept as carefully as the other goodies for the kingdom.

Moving most services to running as Network Service or Local Service
where this can be done helps reduce the number of custom accounts
used as service accounts. And finally, using long, strong strings as
the passcodes helps pad the cushion. 

-- 
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Brad Baker" <brad@nospam.nospam> wrote in message 
news:erJLisn1FHA.2704@TK2MSFTNGP10.phx.gbl...
> We face a similar problem. We would like to change several of our 
> administrative passwords but are concerned about the problems that will be 
> created as a result. We have legacy applications as well as services and 
> scheduled tasks that use various administrative accounts. Changing the 
> passwords on the accounts that run those applications/services/tasks would 
> likely result in dozens of services, tasks and programs not working.
>
>
>
> Even if we managed to go through and find every place to update the 
> password throughout our infrastructure there is some concern that some of 
> the updates may not take effect. For instance, during the installation of 
> our old exchange server, the wrong password was specified for an 
> administrative account which starts several key exchange services. 
> Updating the password in the services applet did not fix this problem. 
> Thus every time the exchange server was rebooted several exchange services 
> would not automatically start until an admin re-entered the password and 
> manually startup the services. If this happened to other applications 
> because of a password change, it would be a nightmare.
>
>
>
> Thankfully our admin passwords are quite complex but it is disconcerting 
> that we do not feel confident that changing them would not cause major 
> disruption. I'd also welcome feedback from anyone who has done this in an 
> enterprise environment (I.E. 30+ servers running many different server 
> applications such as SQL, IIS, Exchange, backup software, legacy apps etc)
>
>
>
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message 
> news:uvO65Wd1FHA.1564@tk2msftngp13.phx.gbl...
>> Hell I would and do object as well.
>>
>> http://blog.joeware.net/2005/05/08/10/
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> JJ wrote:
>>> Our auditors are objecting to our having Domain Administrator and domain
>>> system accounts with passwords that never expire.
>>>
>>> Yes, we change some of these passwords from time to time, but they're
>>> normally set to never expire.
>>>
>>>
>>> We are wondering about how other companies do it, since we've never 
>>> heard of
>>> any IT Dept. that had such a policy, and we think the auditors are being
>>> unreasonable -- forcing password expiration on such accounts could be a
>>> logistical nightmare as it would cause critical services to stop 
>>> running.
>>>
>>> We're not that big, but we do have about 30 servers and 200 users to
>>> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
>>> resource servers.
>>>
>>> Please post your experiences and opinions.
>>>
>>> Thanks.
>>>
>

Relevant Pages

  • Sending email to mydomain.com
    ... They do not offer an smtp server, ... different from the user account names for the exchange ... I added one user account in the POP3 Mailbox Accounts ...
    (microsoft.public.windows.server.sbs)
  • Re: Critical e-mail problem.
    ... I upgraded from Win2K Server to WinSBS2003 on my desktop ... of my POP3 e-mail accounts as an Exchange Server account. ... I found that I was only receiving mail from the Exchange ... your Outlook profile will have Exchange as its default (and this ...
    (microsoft.public.windows.server.sbs)
  • Re: Critical e-mail problem.
    ... I upgraded from Win2K Server to WinSBS2003 on my desktop ... of my POP3 e-mail accounts as an Exchange Server account. ... I found that I was only receiving mail from the Exchange ... your Outlook profile will have Exchange as its default (and this ...
    (microsoft.public.windows.server.sbs)
  • Re: Migration from SBS to 2003 Enterprise Server - Exchange Disast
    ... > a member server in Domain1.local running Windows 2003 Server Enterprise ... > working Domain2,local server) and restore the mail after the user accounts ... > Outlook to Exchange at the internal 192.168...IP -or- via web browser to ... > appears at the moment that if I could simply change the mailbox store ...
    (microsoft.public.windows.server.sbs)
  • Re: Migration from SBS to 2003 Enterprise Server - Exchange Disast
    ... - 1 'Fileserver' server running DHCP, Shared Directories and Printer Shares, ... working Domain2,local server) and restore the mail after the user accounts ... Outlook to Exchange at the internal 192.168...IP -or- via web browser to ... appears at the moment that if I could simply change the mailbox store ...
    (microsoft.public.windows.server.sbs)
Loading