Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: password policy with regard to application userid

from [Ali, Saqib] Network Security [Permanent Link]
Subject: Re: password policy with regard to application userid
Date: Thu, 31 May 2007 10:13:16 -0700 
It depends on the application, and the level of privileges that the
account has and also the auditing of the account usage.

If you regularly auditing the account, and it only has a user level
privileges, then once a year password change should suffice.

One other thing to check is how the application the using the account.
As long as the application is kerberos enabled, and is NOT
transmitting the username/password on the network, then you don't need
to worry about somebody sniffing out the password.

For e.g. ADSI calls from IIS do not transmit the username/password
over the network, so using a account with more privileges to run a web
application is not an serious risk.


saqib
http://www.full-disk-encryption.net

On 31 May 2007 07:30:01 -0000, u.bodalina@gmail.com
<u.bodalina@gmail.com> wrote:

What would be a reasonable password policy with regard to userids used in 
applications?

For example Business Objects needs a system level userid to intergrate with 
active directory. What would the security implications be if this userid's 
password wasn't changed?

Standard users follow a policy in which they have to  change their password 
every two months.

Thanks




--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: CCSP Self-Study, Pawan Saini
Next by Date:  Re: Brute force attacks, Ali, Saqib
Previous by Thread:  password policy with regard to application userid, u . bodalina
Next by Thread:  Re: password policy with regard to application userid, krymson
Indexes:  [Date] [Thread] [Top] [All Lists]