Re: password expiration policy for admin and system accounts ?
From: Herb Martin (news_at_LearnQuick.com)
Date: 10/22/05
- Next message: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
- Previous message: Steven L Umbach: "Re: Authentication Auditing"
- In reply to: Brad Baker: "Re: password expiration policy for admin and system accounts ?"
- Next in thread: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Oct 2005 23:37:45 -0500
"Brad Baker" <brad@nospam.nospam> wrote in message
news:erJLisn1FHA.2704@TK2MSFTNGP10.phx.gbl...
> We face a similar problem. We would like to change several of our
> administrative passwords but are concerned about the problems that will be
> created as a result. We have legacy applications as well as services and
> scheduled tasks that use various administrative accounts. Changing the
> passwords on the accounts that run those applications/services/tasks would
> likely result in dozens of services, tasks and programs not working.
Then you need to find all of those services.
Turn on Account Auditing and track them down.
Services and such should use SERVICE specific accounts
with (incredibly) difficult passwords that never expire.
Admin accounts should NEVER be used for such services.
> Even if we managed to go through and find every place to update the
> password throughout our infrastructure there is some concern that some of
> the updates may not take effect. For instance, during the installation of
> our old exchange server, the wrong password was specified for an
> administrative account which starts several key exchange services.
> Updating the password in the services applet did not fix this problem.
> Thus every time the exchange server was rebooted several exchange services
> would not automatically start until an admin re-entered the password and
> manually startup the services. If this happened to other applications
> because of a password change, it would be a nightmare.
That can be overcome by finding each sub-service or by re-installing.
Don't propagate the mistake because solving it is hard work.
-- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] "Brad Baker" <brad@nospam.nospam> wrote in message news:erJLisn1FHA.2704@TK2MSFTNGP10.phx.gbl... > We face a similar problem. We would like to change several of our > administrative passwords but are concerned about the problems that will be > created as a result. We have legacy applications as well as services and > scheduled tasks that use various administrative accounts. Changing the > passwords on the accounts that run those applications/services/tasks would > likely result in dozens of services, tasks and programs not working. > > > > Even if we managed to go through and find every place to update the > password throughout our infrastructure there is some concern that some of > the updates may not take effect. For instance, during the installation of > our old exchange server, the wrong password was specified for an > administrative account which starts several key exchange services. > Updating the password in the services applet did not fix this problem. > Thus every time the exchange server was rebooted several exchange services > would not automatically start until an admin re-entered the password and > manually startup the services. If this happened to other applications > because of a password change, it would be a nightmare. > > > > Thankfully our admin passwords are quite complex but it is disconcerting > that we do not feel confident that changing them would not cause major > disruption. I'd also welcome feedback from anyone who has done this in an > enterprise environment (I.E. 30+ servers running many different server > applications such as SQL, IIS, Exchange, backup software, legacy apps etc) > > > > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:uvO65Wd1FHA.1564@tk2msftngp13.phx.gbl... >> Hell I would and do object as well. >> >> http://blog.joeware.net/2005/05/08/10/ >> >> -- >> Joe Richards Microsoft MVP Windows Server Directory Services >> www.joeware.net >> >> >> JJ wrote: >>> Our auditors are objecting to our having Domain Administrator and domain >>> system accounts with passwords that never expire. >>> >>> Yes, we change some of these passwords from time to time, but they're >>> normally set to never expire. >>> >>> >>> We are wondering about how other companies do it, since we've never >>> heard of >>> any IT Dept. that had such a policy, and we think the auditors are being >>> unreasonable -- forcing password expiration on such accounts could be a >>> logistical nightmare as it would cause critical services to stop >>> running. >>> >>> We're not that big, but we do have about 30 servers and 200 users to >>> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other >>> resource servers. >>> >>> Please post your experiences and opinions. >>> >>> Thanks. >>> >
- Next message: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
- Previous message: Steven L Umbach: "Re: Authentication Auditing"
- In reply to: Brad Baker: "Re: password expiration policy for admin and system accounts ?"
- Next in thread: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
