Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Windows Service Accounts and Password Expiration

From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Wed, 4 May 2005 08:21:16 +0100
Script logic make a utility for seeking out service accounts and allowing you to change (or even make a new random) 
passwords for service accounts. It changes the password where ever it's used on the network.

It does what it says on the tin!

HTH

Andy

-----Original Message-----
From: yonesy [mailto:yonesy () gmail com] 
Sent: 03 May 2005 22:10
To: Jack Mogren
Cc: security-basics () securityfocus com
Subject: Re: Windows Service Accounts and Password Expiration

Short answer:

You should enforce expiry, uniqueness and complexity of passwords.

The how is the difficult question.  I was evaluating a product by the
name of Password Auto-Repository by eDMZ based on its white papers it
seemed to do everything I required of it (including changing account
passwords automatically).  This product would also help in the change
of passwords for non-windows systems (*nix, Oracle, etc.).  Hope this
helps!

On 28 Apr 2005 15:46:21 -0000, Jack Mogren <mogren () mayo edu> wrote:



  Our security policies and standards have always required passwords to expire, requiring account owners to change 
the passwords on a specific periodic basis.  We also have standards for when generic or trusted accounts are 
acceptable.  For instance, we deem the use of generic accounts acceptable in purely machine - to - machine batch 
processes.  Still we require certain criteria, including password expiration.
  In the Windows server world there are generic accounts called "Service" accounts.  "A rose by any other name 
......."  Until recently, so-called "service" accounts have slipped by this requirement.  But system admin folks have 
become more security aware (thank you very much) and some are starting to ask the question.  Should Windows "service" 
accounts be required to have password expiration?  I'm getting good arguments from both sides of the issue.  
Application availability VS adherance to standards, industry best practices, etc.  Keep in mind that we are in a 
patient care environment.  Any thoughts from the list?

- Jack




-- 
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
Failed to plan?...  Then plan to fail!!!
Previous By Date Next
Previous By Thread Next

Current thread: