Built-in Administrator acct. for Domain be password never expires?

Built-in Administrator acct. for Domain be password never expires?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Built-in Administrator acct. for Domain be password never expires? <-> 10-02-2006
Posted by on October 2, 2006, 3:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Are there any risks associated with an expired built-in Administrator
password? I've been googling but can't seem to quite get results that speak
to this issue.



Posted by Brian Komar [MVP] on October 2, 2006, 4:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Are there any risks associated with an expired built-in Administrator
> password? I've been googling but can't seem to quite get results that speak
> to this issue.
>
>
>
The risk is that you cannot log in with the account once the password has
expired without
resetting it. If an attacker is able to determine the original password, due to
poor password
implementation, they could change the password from under you.
Brian

Posted by on October 2, 2006, 6:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
So is it better practice to have it expire, or to never expire?


>> Are there any risks associated with an expired built-in Administrator
>> password? I've been googling but can't seem to quite get results that
>> speak
>> to this issue.
>>
>>
>>
> The risk is that you cannot log in with the account once the password has
> expired without
> resetting it. If an attacker is able to determine the original password,
> due to poor password
> implementation, they could change the password from under you.
> Brian



Posted by Brian Komar [MVP] on October 3, 2006, 12:07 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have to go with Lanwench on this one. Complexity is good. Keep it in a safe.
Break glass in
case of emergency
Brian

> So is it better practice to have it expire, or to never expire?
>
>
> >> Are there any risks associated with an expired built-in Administrator
> >> password? I've been googling but can't seem to quite get results that
> >> speak
> >> to this issue.
> >>
> >>
> >>
> > The risk is that you cannot log in with the account once the password has
> > expired without
> > resetting it. If an attacker is able to determine the original password,
> > due to poor password
> > implementation, they could change the password from under you.
> > Brian
>
>
>

Posted by Lanwench [MVP - Exchange] on October 2, 2006, 9:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
- <-> typed:
> Are there any risks associated with an expired built-in Administrator
> password? I've been googling but can't seem to quite get results
> that speak to this issue.

You can't make the built-in domain admin account password expire, to the
best of my knowlege.

Really, nobody should be using that account for their admin work anyway, nor
should it be used to run system services. Just set it up with a good,
complex password, write that down on a piece of paper and put it in a sealed
envelope, and give that to the company owner so that he or she can fire the
entire IT department without getting screwed over. Any techs working on the
network should have two accounts - one for daily use (user only), and
another that has the delegated domain permissions they need to do their
jobs. Complex passwords & regular changes should be forced.

This is an "ideal world" setup, but hey, we can strive for that, right?



Similar ThreadsPosted
Problem with Domain Admin becoming Administrator (builtin) April 11, 2006, 10:08 am
Domain user is seen as domain administrator? May 30, 2006, 8:30 am
AD Domain Administrator Priv/rights September 27, 2005, 8:27 am
should i have to rename administrator on domain server. April 24, 2006, 2:46 pm
Domain User -> Configure as Local Administrator December 10, 2005, 12:51 am
Domain Administrator cannot logon to SBS 2003 LOCALLY January 24, 2006, 6:28 am
Domain users members of local administrator March 14, 2006, 3:00 am
RE: Administrator password June 20, 2005, 7:33 am
Administrator password June 14, 2005, 10:07 am
AD Administrator Password July 11, 2006, 12:20 pm

The site map in XML format XML site map

Contact Us | Privacy Policy