swiftny
asked on
Automatic Password Management - when passwords on many autonomous workstations NEED to change every 90 days
Because of recent regulations and security requirements in the credit card industry, it is required that all machines that have access to credit card info meet a strict set of rules. CISP, PCI, and others.
Anyway, one of these rules state that passwords must be changed at least once every three months on every machine. That's a tough one for point of sale systems. There are places with 20 or 30 workstations that aren't logged in by anyone, they are just suppose to be always on. Anyway, those must still be changed, and to manually do that, even with the help of a script, every 3 months for many many clients... is simply not feasible.
So, my question is, are there any applications or methods we can use so that passwords can be changed automatically, or at least much more easily, and then have the passwords stored in another file which is secured with a password that we'd manage manually.
I envision a program running on a server, where every 88 days, it'll change the passwords automatically on all the winxp clients, then the password on the server itself, using a predefined list, or perhaps a randomly generated password that is recorded locally.
Thoughts/Ideas/suggestions
Anyway, one of these rules state that passwords must be changed at least once every three months on every machine. That's a tough one for point of sale systems. There are places with 20 or 30 workstations that aren't logged in by anyone, they are just suppose to be always on. Anyway, those must still be changed, and to manually do that, even with the help of a script, every 3 months for many many clients... is simply not feasible.
So, my question is, are there any applications or methods we can use so that passwords can be changed automatically, or at least much more easily, and then have the passwords stored in another file which is secured with a password that we'd manage manually.
I envision a program running on a server, where every 88 days, it'll change the passwords automatically on all the winxp clients, then the password on the server itself, using a predefined list, or perhaps a randomly generated password that is recorded locally.
Thoughts/Ideas/suggestions
mikeleebrla
exacly which passwords are you talking about? domain user accounts, local admin accounts, random local accounts or what?
ASKER
the way the systems are setup now, it's just local accounts on a workgroup. no domain.
if a domain was absolutely necessary, I would reconsider the way we configured our systems.
if a domain was absolutely necessary, I would reconsider the way we configured our systems.
once again:
EXACTLY which passwords are you talking about? domain user accounts, local admin accounts, random local accounts or what?
are the accounts admin accounts? are they random local 'user' accounts, are all the accounts named the same?
EXACTLY which passwords are you talking about? domain user accounts, local admin accounts, random local accounts or what?
are the accounts admin accounts? are they random local 'user' accounts, are all the accounts named the same?
ASKER
They are all local admin accounts defined in windows which must have access to shares on the main sever. They are all named the same.
These are the username/passwords that are used to login to the machine. Currently the machines login automatically if they are restarted (which happens daily), and must continue happening.
Need any more clarification
These are the username/passwords that are used to login to the machine. Currently the machines login automatically if they are restarted (which happens daily), and must continue happening.
Need any more clarification
This can be handled by setting a Group Policy on each machine using GPedit.msc, nav to Computer Config, Windows Settings, Security Settings, Account Policies, Password policy. There you will see "Maximum password age" among several other settings.
This is much easier to manage on an Active Directory domain, but I think it can be scripted and/or pushed out to each machine... have not done it without AD myself. The policy will be applied to all local accounts, admin, guest, normal user whatever.
FS-
This is much easier to manage on an Active Directory domain, but I think it can be scripted and/or pushed out to each machine... have not done it without AD myself. The policy will be applied to all local accounts, admin, guest, normal user whatever.
FS-
ASKER
But that won't let me change everyones password right, only the maximum age... the age I have to leave at 90 days. I just don't want to go and manually change the password every 89 days. I'm talking hundreds of workstations.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.