|
Posted by =?Utf-8?B?RGFu?= on August 19, 2008, 6:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
True, True and then you have users who copy passwords on sticky notes and
circumvent the best safety and security procedures of the company and it is
probably because of the user's frustration instead of maybe copying the
password in an encrypted file with say 448 bit+ Blowfish encryption for a
start.
"Special Access" wrote:
> On Fri, 15 Aug 2008 23:37:46 -0700, "Roger Abell [MVP]"
>
> >> The corporate auditing requires that all accounts' passwords expire,
> >> including service accounts. Questions:
> >>
> >> 1. Is it really a security recommendation?
> >Recommendation from whom? There are likely those saying so.
> >In point of fact, I can make the password sufficently long and complex
> >that I would not worry about it being uncovered by brute methods, and
> >getting it from the service controller mem or safe is just as unlikely.
> >So, in my view, your question comes down to whether there are any
> >really determined adversaries or foolish people-ware in your world
> >that leave notes on the password(s) available. That is a correctable
> >practice as service account passwords generally can be (re)set and
> >then forever forgotten.
> >
> >> 2. Is there an easy way to automate this process (as a scheduled task, for
> >> example)?
> >Only with care.
> >There are the two (minimum) places to set the pwds (account+service).
> >These must be changed in atomic fashion (full error checking so both or
> >neither change is guaranteed)
> >One must decide whether to interrupt the service by restart or to rid it
> >out until the service recycles (which might cause issue depending on
> >what the service does and how).
> >The automation introduces the weakest storage of the password, and also
> >possibly its short-term visibility on some of the network.
> >The schedule task introduces a weakness as it might get hijacked for abuse
> >(or its script just read and what's learned used).
> >
> >> 2. If a modify the password in the service settings, will this one keep
> >> running with no disruption?
> >depends; with restart the restart should be the only disruption
> >
> >> 3. If I modify passwords for clustering service accounts, will those ones
> >> keep running with no disruption?
> >ditto
> >
> >Roger
> >
>
>
> Having come from an environment that required ALL passwords to be
> changed every 60-90 days, it sux. I'm with Roger in that automation
> is not the best way to go with this. We scheduled downtime for
> whaterver service/account that needed to be changed, changed in AD,
> then changed the service logon and bounced the service. You will know
> ASAP if it was typed correctly <g>
>
> And normally, this requirement comes from security folks that probably
> NEVER touched equipment in their lives, let alone try to manage
> maintaining a system for ungrateful users <g> and nagging managers who
> want everything to pass security AND work! man, that's a tough
> requirement at times heheheh
>
> Mike
>
| 
XML site map