?
Solved

Non-expiring passwords policy

Posted on 2013-01-29
5
Medium Priority
?
492 Views
Last Modified: 2013-02-13
We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).

Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?

Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.
0
Comment
Question by:pma111
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
kadafitcd earned 750 total points
ID: 38831465
Make a Code of Conduct including that and put it on paper and sign it.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 750 total points
ID: 38832942
My advice: employ admins that can be trusted - that's all.
Who as a good and security-aware admin would change these defaults to non-expiring? It's one of the most stupid decisions one could possibly make.
0
 
LVL 3

Author Comment

by:pma111
ID: 38834926
I agree but Im not sure employing a common sense admin is really a control. I just wondered if people document rules about non expiring passwords, where there are genuine reasons for an exemption, and if you do what document these rules fall into. Ive never heard of a non expiring password policy but somewhere I would imagine exemptions must need to be formally documented somewhere
0
 
LVL 57

Expert Comment

by:McKnife
ID: 38835062
If somehow the requirement came up, I would set a very long password, and see that that user will not be able to change it to something less complex. Documenting this? Well, what for? Who (constantly) reads these documents and what consequences would this knowledge have?
To me, it seems, a better plan would be to scan all accounts on a regular basis for this setting (simply execute MBSA on your DC) and have someone look at the scan results.
0
 
LVL 3

Author Comment

by:pma111
ID: 38835115
By documenting I was more getting to documenting the actual policy and rule.

i.e. if you look at software installation, you would probably have a software policy that dictates who can install software etc. And thats a documented rule, as opposed to just doing a scan to see who has installed software and whether they were allowed to do so.

I think documented rules and policies are the first step and then scanning to ensure compliance is a secondary thing. But without documented rules you dont have any meaningful remit to scan for anything.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question