?
Solved

Non-expiring passwords policy

Posted on 2013-01-29
5
Medium Priority
?
476 Views
Last Modified: 2013-02-13
We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).

Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?

Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
kadafitcd earned 750 total points
ID: 38831465
Make a Code of Conduct including that and put it on paper and sign it.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 750 total points
ID: 38832942
My advice: employ admins that can be trusted - that's all.
Who as a good and security-aware admin would change these defaults to non-expiring? It's one of the most stupid decisions one could possibly make.
0
 
LVL 3

Author Comment

by:pma111
ID: 38834926
I agree but Im not sure employing a common sense admin is really a control. I just wondered if people document rules about non expiring passwords, where there are genuine reasons for an exemption, and if you do what document these rules fall into. Ive never heard of a non expiring password policy but somewhere I would imagine exemptions must need to be formally documented somewhere
0
 
LVL 56

Expert Comment

by:McKnife
ID: 38835062
If somehow the requirement came up, I would set a very long password, and see that that user will not be able to change it to something less complex. Documenting this? Well, what for? Who (constantly) reads these documents and what consequences would this knowledge have?
To me, it seems, a better plan would be to scan all accounts on a regular basis for this setting (simply execute MBSA on your DC) and have someone look at the scan results.
0
 
LVL 3

Author Comment

by:pma111
ID: 38835115
By documenting I was more getting to documenting the actual policy and rule.

i.e. if you look at software installation, you would probably have a software policy that dictates who can install software etc. And thats a documented rule, as opposed to just doing a scan to see who has installed software and whether they were allowed to do so.

I think documented rules and policies are the first step and then scanning to ensure compliance is a secondary thing. But without documented rules you dont have any meaningful remit to scan for anything.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month9 days, 13 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question