Windows Service Accounts and Password Expiration

[Jack Mogren <mogren () mayo edu>]

  Our security policies and standards have always required passwords to expire, requiring account owners to change the 
passwords on a specific periodic basis.  We also have standards for when generic or trusted accounts are acceptable.  
For instance, we deem the use of generic accounts acceptable in purely machine - to - machine batch processes.  Still 
we require certain criteria, including password expiration.
  In the Windows server world there are generic accounts called "Service" accounts.  "A rose by any other name ......." 
 Until recently, so-called "service" accounts have slipped by this requirement.  But system admin folks have become 
more security aware (thank you very much) and some are starting to ask the question.  Should Windows "service" accounts 
be required to have password expiration?  I'm getting good arguments from both sides of the issue.  Application 
availability VS adherance to standards, industry best practices, etc.  Keep in mind that we are in a patient care 
environment.  Any thoughts from the list?

- Jack