Re: password policy with regard to application userid

["Ali, Saqib" <docbook.xml () gmail com>]

It depends on the application, and the level of privileges that the
account has and also the auditing of the account usage.

If you regularly auditing the account, and it only has a user level
privileges, then once a year password change should suffice.

One other thing to check is how the application the using the account.
As long as the application is kerberos enabled, and is NOT
transmitting the username/password on the network, then you don't need
to worry about somebody sniffing out the password.

For e.g. ADSI calls from IIS do not transmit the username/password
over the network, so using a account with more privileges to run a web
application is not an serious risk.


saqib
http://www.full-disk-encryption.net

On 31 May 2007 07:30:01 -0000, u.bodalina () gmail com
<u.bodalina () gmail com> wrote:
> What would be a reasonable password policy with regard to userids used in applications?
>
> For example Business Objects needs a system level userid to intergrate with active directory. What would the security 
> implications be if this userid's password wasn't changed?
>
> Standard users follow a policy in which they have to  change their password every two months.
>
> Thanks


--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net