Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Non-expiring passwords policy

Posted on 2013-01-29
5
Medium Priority
?
488 Views
Last Modified: 2013-02-13
We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).

Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?

Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
kadafitcd earned 750 total points
ID: 38831465
Make a Code of Conduct including that and put it on paper and sign it.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 750 total points
ID: 38832942
My advice: employ admins that can be trusted - that's all.
Who as a good and security-aware admin would change these defaults to non-expiring? It's one of the most stupid decisions one could possibly make.
0
 
LVL 3

Author Comment

by:pma111
ID: 38834926
I agree but Im not sure employing a common sense admin is really a control. I just wondered if people document rules about non expiring passwords, where there are genuine reasons for an exemption, and if you do what document these rules fall into. Ive never heard of a non expiring password policy but somewhere I would imagine exemptions must need to be formally documented somewhere
0
 
LVL 56

Expert Comment

by:McKnife
ID: 38835062
If somehow the requirement came up, I would set a very long password, and see that that user will not be able to change it to something less complex. Documenting this? Well, what for? Who (constantly) reads these documents and what consequences would this knowledge have?
To me, it seems, a better plan would be to scan all accounts on a regular basis for this setting (simply execute MBSA on your DC) and have someone look at the scan results.
0
 
LVL 3

Author Comment

by:pma111
ID: 38835115
By documenting I was more getting to documenting the actual policy and rule.

i.e. if you look at software installation, you would probably have a software policy that dictates who can install software etc. And thats a documented rule, as opposed to just doing a scan to see who has installed software and whether they were allowed to do so.

I think documented rules and policies are the first step and then scanning to ensure compliance is a secondary thing. But without documented rules you dont have any meaningful remit to scan for anything.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question