RE: Changing the domain password policy

["Duncan McAlynn" <duncan () mcalynn com>]

Gary,

The Domain Admin accounts should be the first to implement a strong
password/phrase. 

The biggest issue you'll run into is the numerous service accounts that
exist and are not well-documented. There are a number of scripts available
on the Internet that will help you identify them. Basically, what you're
looking for is any service that is not using the "LocalSystem" account. Once
you've identified the applications, you can then target the appropriate
admins to update the accounts with a strong password. 

Sample script:
http://blogs.brnets.com/michael/archive/2006/03/23/2515.aspx


I'd encourage you to use this opportunity to further the cause by also
implementing some documented means of maintaining these accounts and their
associated passwords. 

In the past, I've seen the passwords for privileged accounts (i.e. Domain
Admins, Schema Admins, System Restore Accounts, SQL SA accounts, etc.)
changed to a strong password, documented in print, sealed in an envelope and
then stored in a safe/lockbox managed by someone outside of the chain of
report (i.e. Director of HR, VP Legal, etc.). This documentation can also
list dependent applications so that the full impact can be readily realized.


Lastly, if your domain admins are using the same account for managing the
domain that they use to check their email and browse the web, you may want
to address that issue as well. Have a separate account for administrative
purposes and use Run As to execute things requiring admin rights. 

Good luck, Gary. 

Duncan McAlynn, MVP/MCSE





-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Gary Collis
Sent: Monday, October 16, 2006 2:04 PM
To: security-basics () securityfocus com
Subject: Changing the domain password policy

Hi List,

I am going to enforce some domain password standards on a w2k domain. I 
am going to set the password policy to a more complex level then it 
already is.

The questions I have are;

There are a number of service and application accounts to which 
developers have set a number of weak passwords. So my plan is to
contact the developers and request them to change passwords to these 
accounts, so applications and such do not break during transistion. What 
is the best way to do this?

In general is there anything else that anyone can recommend? What else 
should I consider? I am sure someone here must of done this before. What 
are your experiences of this?

When is the password policy enforced?

Does this affect the domain admin account?

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------