Re: Windows Service Accounts and Password Expiration

[yonesy <yonesy () gmail com>]

Short answer:

You should enforce expiry, uniqueness and complexity of passwords.

The how is the difficult question.  I was evaluating a product by the
name of Password Auto-Repository by eDMZ based on its white papers it
seemed to do everything I required of it (including changing account
passwords automatically).  This product would also help in the change
of passwords for non-windows systems (*nix, Oracle, etc.).  Hope this
helps!

On 28 Apr 2005 15:46:21 -0000, Jack Mogren <mogren () mayo edu> wrote:
>   Our security policies and standards have always required passwords to expire, requiring account owners to change 
> the passwords on a specific periodic basis.  We also have standards for when generic or trusted accounts are 
> acceptable.  For instance, we deem the use of generic accounts acceptable in purely machine - to - machine batch 
> processes.  Still we require certain criteria, including password expiration.
>   In the Windows server world there are generic accounts called "Service" accounts.  "A rose by any other name 
> ......."  Until recently, so-called "service" accounts have slipped by this requirement.  But system admin folks have 
> become more security aware (thank you very much) and some are starting to ask the question.  Should Windows "service" 
> accounts be required to have password expiration?  I'm getting good arguments from both sides of the issue.  
> Application availability VS adherance to standards, industry best practices, etc.  Keep in mind that we are in a 
> patient care environment.  Any thoughts from the list?
>
> - Jack


-- 
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
Failed to plan?...  Then plan to fail!!!