Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 285
  • Last Modified:

Windows Server 2003 - changing admin password - effects on running services

I am looking at running an exercise across the whole network for all users, including the admin account, to change passwords and increase the number and complexity of characters.

Given that some of my servers run MS SQL/SAP Business One, SQL Express, Blackberry Enterprise Server, Exchange 2003 and all kinds of other nonsense where startup services are tied to the admin account, what is the safe way of changing the admin account password without killing any of the services that depend on it ?

Last time I sandboxed this it created minor havoc...
0
Copyleft
Asked:
Copyleft
  • 2
  • 2
1 Solution
 
oBdACommented:
Do NOT, never, ever, use accounts that are used for interactive logons as service accounts. Create dedicated accounts for each service, and give these accounts only the permissions they require for their specific task. Use complex passwords, and set these passwords to never expire. When you want to change these passwords, you'll then know exactly which services you need to reconfigure.
To clean out your current situation, start by creating service accounts for each service (and don't forget scheduled tasks!) that is started with the admin account, and reconfigure these services. Once this is done, you'll be able to change the admin account's password as often as you feel like doing so, without having to worry about your services coming to a grinding halt.
0
 
CopyleftAuthor Commented:
Fair enough - I inherited this network in its current condition, so I can only work with what's already in place.

Leaving best practice aside for one moment, might manually updating every service tied to the current admin login acccount work ?

I'm not intending to do it this way - just thinking out loud out of curiosity. Your suggested method sounds fine :)
0
 
oBdACommented:
Manually updating each and every service using this account as soon as you've changed the password for the account itself is actually the only option you have. This usually requires a restart of the service as well.
Before you change the password in your current situation, consider changing your account lockout policy (for a limited time) to Never, so that a forgotten service won't lock this account (thus keeping other services from running) if it keeps trying to logon with the old password.
0
 
CopyleftAuthor Commented:
Thanks.

I'm going to try your first suggestion on a sandbox server using yesterday's full disk image backup of one of our main servers.

Once I am happy with it I will tackle the live server.

Points awarded - thanks again :)
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now