Re: On password expiration


"Byron Hynes [MS]" <bhynes@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:50cb70803f7dc8c8252c2ec9fb94@xxxxxxxxxxxxxxxxxxxxxxx
The post was "the only way they can be closed is by manual auditing". This
is not true.


Let's be accurate here, and take into account the anticedent of "they"
<quote>
Perhaps the craziest thing is that while Windows has this troublesome
'password-timebomb' built-in right out of the box, it doesn't have any
timeout-mechanism to close disused accounts. Disused accounts are a serious
security weakness, yet AFAIK the only way they can be closed is by manual
auditing.
</quote>

Account pre-defined expiration has nothing, in general, to do with
account disuse (save by case by case circumstance).

That the poster is overlooking scriptability is however a valid point,
but this is not the point you had made to which I had responded.

Now, asuming, for a moment that an attacker is using the otherwise unused
account, closing it on "last use" would not help. If you have numbers of
accounts sitting around unused, you need better processes, not just a
magic switch in the OS.


And, assuming they have not come knocking yet, account reduction
could/would help.

Not everyone has perfect processes, or even the opportunity to attempt
to have such. Is a customer's ability to define a process a reason an OS
does not need to support them in there efforts ?

Monitoring for last use is also fairly simple to implement with Microsoft
management products, 3rd party products or your own scripts.

True enough.
However, I believe that the poster was saying that built-in automation for
"account disable on (today - last login) > threshold"
makes more sense to him than does having password exiry built-in.


http://spaces.msn.com/members/byronphynes

"Byron Hynes [MS]" <bhynes@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:50cb70803f7348c824d4ac85e05a@xxxxxxxxxxxxxxxxxxxxxxx

Perhaps the craziest thing is that while Windows has this
troublesome 'password-timebomb' built-in right out of the box, it
doesn't have any timeout-mechanism to close disused accounts.
Disused accounts are a serious security weakness, yet AFAIK the only
way they can be closed is by manual auditing.

Last time I checked, there is an option to set an expiry for an
account in AD.

But it is as existed back into the NT 3.x era, based on time in
existence. The proposal to do something based on length of time unused
actually sounds quited helpful.





.

Relevant Pages

  • Re: All Administrators Equal?
    ... > Is there any way of recreating the built-in Administrator account? ... > I can log in to my normal admin account ok. ...
    (microsoft.public.windowsxp.security_admin)
  • Built-in admin account screwed by KB912812
    ... I have my built-in administrator account screwed after I applied patch ... When I reboot, after I passed the logon screen, it crashes with a fatal ...
    (microsoft.public.windowsxp.general)
  • Re: system restrictions
    ... The "Built-in" administrator account actually has greater powers than the ... security problem. ...
    (microsoft.public.security)
  • RE: How to restrict Administrator from RWW
    ... My first question would be are you talking about the built-in user account ... Why would you want to lock him out of any place. ... The built-in administrator ... account is there and it has be configured to where you cannot lock him out. ...
    (microsoft.public.windows.server.sbs)
  • Re: Re: Administrator Password
    ... > the administrator password for MS Windows XP Professional. ... you can log onto the built-in administrator ... account and change the password for your user account. ... To boot into Safe Mode and log on with the built-in System ...
    (microsoft.public.windowsxp.general)