Security Basics mailing list archives
RE: Windows Service Accounts and Password Expiration
From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Wed, 4 May 2005 08:21:16 +0100
Script logic make a utility for seeking out service accounts and allowing you to change (or even make a new random) passwords for service accounts. It changes the password where ever it's used on the network. It does what it says on the tin! HTH Andy -----Original Message----- From: yonesy [mailto:yonesy () gmail com] Sent: 03 May 2005 22:10 To: Jack Mogren Cc: security-basics () securityfocus com Subject: Re: Windows Service Accounts and Password Expiration Short answer: You should enforce expiry, uniqueness and complexity of passwords. The how is the difficult question. I was evaluating a product by the name of Password Auto-Repository by eDMZ based on its white papers it seemed to do everything I required of it (including changing account passwords automatically). This product would also help in the change of passwords for non-windows systems (*nix, Oracle, etc.). Hope this helps! On 28 Apr 2005 15:46:21 -0000, Jack Mogren <mogren () mayo edu> wrote:
Our security policies and standards have always required passwords to expire, requiring account owners to change the passwords on a specific periodic basis. We also have standards for when generic or trusted accounts are acceptable. For instance, we deem the use of generic accounts acceptable in purely machine - to - machine batch processes. Still we require certain criteria, including password expiration. In the Windows server world there are generic accounts called "Service" accounts. "A rose by any other name ......." Until recently, so-called "service" accounts have slipped by this requirement. But system admin folks have become more security aware (thank you very much) and some are starting to ask the question. Should Windows "service" accounts be required to have password expiration? I'm getting good arguments from both sides of the issue. Application availability VS adherance to standards, industry best practices, etc. Keep in mind that we are in a patient care environment. Any thoughts from the list? - Jack
-- Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+ Failed to plan?... Then plan to fail!!!
Current thread:
- Re: Windows Service Accounts and Password Expiration yonesy (May 03)
- <Possible follow-ups>
- RE: Windows Service Accounts and Password Expiration Andrew Shore (May 05)