Solved

Non-expiring passwords policy

Posted on 2013-01-29
5
467 Views
Last Modified: 2013-02-13
We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).

Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?

Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
kadafitcd earned 250 total points
ID: 38831465
Make a Code of Conduct including that and put it on paper and sign it.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 38832942
My advice: employ admins that can be trusted - that's all.
Who as a good and security-aware admin would change these defaults to non-expiring? It's one of the most stupid decisions one could possibly make.
0
 
LVL 3

Author Comment

by:pma111
ID: 38834926
I agree but Im not sure employing a common sense admin is really a control. I just wondered if people document rules about non expiring passwords, where there are genuine reasons for an exemption, and if you do what document these rules fall into. Ive never heard of a non expiring password policy but somewhere I would imagine exemptions must need to be formally documented somewhere
0
 
LVL 54

Expert Comment

by:McKnife
ID: 38835062
If somehow the requirement came up, I would set a very long password, and see that that user will not be able to change it to something less complex. Documenting this? Well, what for? Who (constantly) reads these documents and what consequences would this knowledge have?
To me, it seems, a better plan would be to scan all accounts on a regular basis for this setting (simply execute MBSA on your DC) and have someone look at the scan results.
0
 
LVL 3

Author Comment

by:pma111
ID: 38835115
By documenting I was more getting to documenting the actual policy and rule.

i.e. if you look at software installation, you would probably have a software policy that dictates who can install software etc. And thats a documented rule, as opposed to just doing a scan to see who has installed software and whether they were allowed to do so.

I think documented rules and policies are the first step and then scanning to ensure compliance is a secondary thing. But without documented rules you dont have any meaningful remit to scan for anything.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question