Re: password expiration policy for admin and system accounts ?

From: JJ (johnny_at_tamtam.com)
Date: 10/20/05 

Date: Thu, 20 Oct 2005 14:28:24 GMT

Thank you for your reply.

I would agree about the admin account, but what about system/service
accounts used by different systems ?

"Herb Martin" <news@LearnQuick.com> wrote in message
news:eSdMWmQ1FHA.3376@TK2MSFTNGP14.phx.gbl...
> "JJ" <johnny@tamtam.com> wrote in message
> news:pNz5f.9585$oy3.4278@trnddc04...
> > Our auditors are objecting to our having Domain Administrator and domain
> > system accounts with passwords that never expire.
>
> A generally legitimate objection.
>
> > Yes, we change some of these passwords from time to time, but they're
> > normally set to never expire.
>
> And why should Admins with far more privileged and therefore
> DANGEROUS accounts be allowed practices less safe and more
> lazy than ordinary users?
>
> > We are wondering about how other companies do it, since we've never
heard
> > of
> > any IT Dept. that had such a policy, and we think the auditors are being
> > unreasonable -- forcing password expiration on such accounts could be a
> > logistical nightmare as it would cause critical services to stop
running.
>
> No, they are being reasonable.
>
> Perhaps you issue is that you are using the same Admin
> account for many admins?
>
> Each admin should have a separate account for admin
> purposes (so that auditing is specific.)
>
> > We're not that big, but we do have about 30 servers and 200 users to
> > support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
> > resource servers.
> >
> > Please post your experiences and opinions.
>
> Do it correctly and safely, and thank the auditors for encouraging
> safe practices.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
>
>

Relevant Pages

  • Re: password expiration policy for admin and system accounts ?
    ... I would agree about the admin account, but what about system/service ... >> Our auditors are objecting to our having Domain Administrator and domain ...
    (microsoft.public.security)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: Wscript within VBA
    ... One box is running VBA code,. ... One box is a domain controller, or has an account trusted to manipulate AD ... >> It posts a form to an ASP page, ... >> Since what you want to do sounds like it will require admin privileges, ...
    (microsoft.public.vb.database)
  • RE: Question regarding admin passwords on sbs.
    ... I'd also ask you to reconsider disabling the Administrator account, ... describe create another account with Domain Admin privileges for your regular ... Even Microsoft has no solution to *Crack* the ...
    (microsoft.public.windows.server.sbs)