Solved

non expiring passwords

Posted on 2013-12-02
8
264 Views
Last Modified: 2013-12-17
Can you give some examples of the types of accounts that you typically exempt from domain password expiry policies - with reasons why making them change password every XYZ days is not practical.
0
Comment
Question by:pma111
8 Comments
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 84 total points
ID: 39689495
Mostly accounts for senior officers that have the power to fire you and are annoyed to have to change their password that they use on *all* the sites.

Reason why it's not practical: self-preservation :)
0
 
LVL 3

Assisted Solution

by:cristiantm
cristiantm earned 84 total points
ID: 39689529
I´m not a big fan of requiring people to change their passwords frequently at all. The biggest reason is that if people need to always remember a new password, they will probably want to make it easier to remember, and that probably means it will be weak. Its ok to make some effort to remember a complex password that you will be using for a long time, but is very annoying if when you finally manage to memorize, it needs to be changed.

If you need strong password protection, maybe you should be thinking about alternatives (2nd factor, authentication tokens, etc.). Maybe enforce stronger passwords+some training (tips on how to create a strong password that also is easy to remember), suggest password managers, so on. I would suggest the other way around, start to think why and where you NEED password expiration, where you do not have better options and so on.

If security becomes intrusive and annoying, it soon or later will become insecurity. It should be as transparent as possible.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 83 total points
ID: 39689574
Password used for service accounts - account used to run services and/or batch processes are normally exempted since if these expired the services/batch jobs would fail if the password expired. It would be tedious in the extreme to edit all the services/jobs to change the password in such cases.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 83 total points
ID: 39689724
Basically I don't. We are under government regulations that require every user to have a unique user ID and a password that expires every do often. Ours expire every 90 days. This policy is enforced from the CEO on down.

Having said that we do have a few accounts with non-expiring passwords. These fall into two groups.  One would be ID's that are shared by several people as email repositories for automated processes. These account have no access to protected data and cannot send out emails. The other one occurs when in the past we have brought on new companies and their users need access to certain resources we have but have no direct access to the network in order to change their passwords. These accounts are set up with non-expiring passwords, but as soon as the transition to our company is complete, those are changed to expiring passwords.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39690551
Here you have to balance between your environment security and minimise your efforts
What I would recommend is you may exclude service accounts or generic accounts being used if any apart from that users should be required to change the password every 90 days with password history of 4-5 remembered and domain admin and Enterprise admins should be changed once in 30 days with password history of 10 as these are sensitive accounts
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39690649
Just to add a bit more to my comments on service accounts, Its also worth mentioning that with Server 2008 and later you have a new type of account called 'Managed Service Accounts'
where the passwords are managed automatically see http://technet.microsoft.com/en-us/library/dd367859(v=ws.10).aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 83 total points
ID: 39692274
In addition you can deploy different password policy for top level management Fine-Grained Password Policies:http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are certain APLLICATIONS,SERVICES,SCRIPT,GROUP POLICY eg drive mapped with credential ,etc which are normally excluded from password expiry policy.If password is changed and same is not taken care can lead to account lockout.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 83 total points
ID: 39694133
Joining in to comment on the "senior-officers-thought".
The more important staff usually has access to enterprise-critical data. These accounts should not be handled less strictly, come on. "they are able to fire you" *shiver*.... ;)

The question should not be why some here typically use non-expiring pw accounts, it should be why people typically don't.

Let's start with the asker :) pma111, why are you asking, what would you achieve by starting to use accounts whose passwords don't expire?
For reasons given before, service accounts/task accounts don't need non-expiring passwords any more.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question