Non-expiring passwords policy

We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).

Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?

Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.
LVL 3
pma111Asked:
Who is Participating?
 
kadafitcdConnect With a Mentor Commented:
Make a Code of Conduct including that and put it on paper and sign it.
0
 
McKnifeConnect With a Mentor Commented:
My advice: employ admins that can be trusted - that's all.
Who as a good and security-aware admin would change these defaults to non-expiring? It's one of the most stupid decisions one could possibly make.
0
 
pma111Author Commented:
I agree but Im not sure employing a common sense admin is really a control. I just wondered if people document rules about non expiring passwords, where there are genuine reasons for an exemption, and if you do what document these rules fall into. Ive never heard of a non expiring password policy but somewhere I would imagine exemptions must need to be formally documented somewhere
0
 
McKnifeCommented:
If somehow the requirement came up, I would set a very long password, and see that that user will not be able to change it to something less complex. Documenting this? Well, what for? Who (constantly) reads these documents and what consequences would this knowledge have?
To me, it seems, a better plan would be to scan all accounts on a regular basis for this setting (simply execute MBSA on your DC) and have someone look at the scan results.
0
 
pma111Author Commented:
By documenting I was more getting to documenting the actual policy and rule.

i.e. if you look at software installation, you would probably have a software policy that dictates who can install software etc. And thats a documented rule, as opposed to just doing a scan to see who has installed software and whether they were allowed to do so.

I think documented rules and policies are the first step and then scanning to ensure compliance is a secondary thing. But without documented rules you dont have any meaningful remit to scan for anything.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.