|
Posted by JJ on October 19, 2005, 6:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Our auditors are objecting to our having Domain Administrator and domain
system accounts with passwords that never expire.
Yes, we change some of these passwords from time to time, but they're
normally set to never expire.
We are wondering about how other companies do it, since we've never heard of
any IT Dept. that had such a policy, and we think the auditors are being
unreasonable -- forcing password expiration on such accounts could be a
logistical nightmare as it would cause critical services to stop running.
We're not that big, but we do have about 30 servers and 200 users to
support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
resource servers.
Please post your experiences and opinions.
Thanks.
|
|
Posted by Herb Martin on October 19, 2005, 7:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Our auditors are objecting to our having Domain Administrator and domain
> system accounts with passwords that never expire.
A generally legitimate objection.
> Yes, we change some of these passwords from time to time, but they're
> normally set to never expire.
And why should Admins with far more privileged and therefore
DANGEROUS accounts be allowed practices less safe and more
lazy than ordinary users?
> We are wondering about how other companies do it, since we've never heard
> of
> any IT Dept. that had such a policy, and we think the auditors are being
> unreasonable -- forcing password expiration on such accounts could be a
> logistical nightmare as it would cause critical services to stop running.
No, they are being reasonable.
Perhaps you issue is that you are using the same Admin
account for many admins?
Each admin should have a separate account for admin
purposes (so that auditing is specific.)
> We're not that big, but we do have about 30 servers and 200 users to
> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
> resource servers.
>
> Please post your experiences and opinions.
Do it correctly and safely, and thank the auditors for encouraging
safe practices.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
Posted by Roger Abell [MVP] on October 20, 2005, 10:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
If your domain policy makes users change passwords each 60 days,
your admins and domain admins accounts should get their passwords
changed weekly (which means a human, not a machine enforced
practice). Changing the passwords is not so much a limiter on the
time available for cracking as it is a limiter on the length that a password
that has travelled beyond appropriate hands can be usable there.
You say changing service account passwords can cause critical services
to stop working. That is not really the case, with planning and doing the
right things at the right times. But, it can cause short-term
interruptions.
I feel most shops do not alter service account passwords on a regular
basis, but I could be a good practice to implement. If you look you will
notice that most services are not using custom accounts, which means
that it is not all that many that are impacted by the auditor's request.
For
some of these the accounts are domain, but the scope of the others, the
machine local service accounts (other than the built-in accounts local
system, local service, network service) are limited to that one box.
Perhaps you can arbitrate with the auditors on the frequence of change
based on the scope of the exposure, the difficulty of gettings to the boxes
to coordinate this, and, (this is the big one) your practice of using pass
phrases for those accounts that have a minimum length that is some
outrageously large size like 40 characters.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Our auditors are objecting to our having Domain Administrator and domain
> system accounts with passwords that never expire.
>
> Yes, we change some of these passwords from time to time, but they're
> normally set to never expire.
>
>
> We are wondering about how other companies do it, since we've never heard
> of
> any IT Dept. that had such a policy, and we think the auditors are being
> unreasonable -- forcing password expiration on such accounts could be a
> logistical nightmare as it would cause critical services to stop running.
>
> We're not that big, but we do have about 30 servers and 200 users to
> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
> resource servers.
>
> Please post your experiences and opinions.
>
> Thanks.
>
>
|
|
Posted by Joe Richards [MVP] on October 20, 2005, 8:23 pm
If you were Registered and logged in, you could reply and use other advanced thread options
http://blog.joeware.net/2005/05/08/10/
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
JJ wrote:
> Our auditors are objecting to our having Domain Administrator and domain
> system accounts with passwords that never expire.
>
> Yes, we change some of these passwords from time to time, but they're
> normally set to never expire.
>
>
> We are wondering about how other companies do it, since we've never heard of
> any IT Dept. that had such a policy, and we think the auditors are being
> unreasonable -- forcing password expiration on such accounts could be a
> logistical nightmare as it would cause critical services to stop running.
>
> We're not that big, but we do have about 30 servers and 200 users to
> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
> resource servers.
>
> Please post your experiences and opinions.
>
> Thanks.
>
>
|
| Similar Threads | Posted | | Service accounts with password expiration | August 15, 2008, 2:36 pm |
| How do I manage local admin accounts without a domain or ADS? | November 16, 2005, 6:22 pm |
| What accounts/groups in Local Admin group | June 16, 2008, 9:34 am |
| On password expiration | March 31, 2006, 1:51 am |
| Service Accounts & Account Lock out Policy | February 15, 2007, 3:41 am |
| Password Expiration for Remote Users | March 16, 2006, 1:07 pm |
| Remote users and Password expiration | October 10, 2006, 11:30 am |
| No password expiration alert when smart card logon is required | December 27, 2005, 1:14 pm |
| Password Policy forces to change password - but too late... | June 27, 2007, 6:32 am |
| Admin password at startup | December 18, 2005, 8:10 am |
|
XML site map