Solved

non expiring passwords

Posted on 2013-12-02
8
257 Views
Last Modified: 2013-12-17
Can you give some examples of the types of accounts that you typically exempt from domain password expiry policies - with reasons why making them change password every XYZ days is not practical.
0
Comment
Question by:pma111
8 Comments
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 84 total points
ID: 39689495
Mostly accounts for senior officers that have the power to fire you and are annoyed to have to change their password that they use on *all* the sites.

Reason why it's not practical: self-preservation :)
0
 
LVL 3

Assisted Solution

by:cristiantm
cristiantm earned 84 total points
ID: 39689529
I´m not a big fan of requiring people to change their passwords frequently at all. The biggest reason is that if people need to always remember a new password, they will probably want to make it easier to remember, and that probably means it will be weak. Its ok to make some effort to remember a complex password that you will be using for a long time, but is very annoying if when you finally manage to memorize, it needs to be changed.

If you need strong password protection, maybe you should be thinking about alternatives (2nd factor, authentication tokens, etc.). Maybe enforce stronger passwords+some training (tips on how to create a strong password that also is easy to remember), suggest password managers, so on. I would suggest the other way around, start to think why and where you NEED password expiration, where you do not have better options and so on.

If security becomes intrusive and annoying, it soon or later will become insecurity. It should be as transparent as possible.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 83 total points
ID: 39689574
Password used for service accounts - account used to run services and/or batch processes are normally exempted since if these expired the services/batch jobs would fail if the password expired. It would be tedious in the extreme to edit all the services/jobs to change the password in such cases.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 83 total points
ID: 39689724
Basically I don't. We are under government regulations that require every user to have a unique user ID and a password that expires every do often. Ours expire every 90 days. This policy is enforced from the CEO on down.

Having said that we do have a few accounts with non-expiring passwords. These fall into two groups.  One would be ID's that are shared by several people as email repositories for automated processes. These account have no access to protected data and cannot send out emails. The other one occurs when in the past we have brought on new companies and their users need access to certain resources we have but have no direct access to the network in order to change their passwords. These accounts are set up with non-expiring passwords, but as soon as the transition to our company is complete, those are changed to expiring passwords.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 39690551
Here you have to balance between your environment security and minimise your efforts
What I would recommend is you may exclude service accounts or generic accounts being used if any apart from that users should be required to change the password every 90 days with password history of 4-5 remembered and domain admin and Enterprise admins should be changed once in 30 days with password history of 10 as these are sensitive accounts
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39690649
Just to add a bit more to my comments on service accounts, Its also worth mentioning that with Server 2008 and later you have a new type of account called 'Managed Service Accounts'
where the passwords are managed automatically see http://technet.microsoft.com/en-us/library/dd367859(v=ws.10).aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 83 total points
ID: 39692274
In addition you can deploy different password policy for top level management Fine-Grained Password Policies:http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are certain APLLICATIONS,SERVICES,SCRIPT,GROUP POLICY eg drive mapped with credential ,etc which are normally excluded from password expiry policy.If password is changed and same is not taken care can lead to account lockout.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 83 total points
ID: 39694133
Joining in to comment on the "senior-officers-thought".
The more important staff usually has access to enterprise-critical data. These accounts should not be handled less strictly, come on. "they are able to fire you" *shiver*.... ;)

The question should not be why some here typically use non-expiring pw accounts, it should be why people typically don't.

Let's start with the asker :) pma111, why are you asking, what would you achieve by starting to use accounts whose passwords don't expire?
For reasons given before, service accounts/task accounts don't need non-expiring passwords any more.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now