Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: password policy with regard to application userid

from [krymson] Network Security [Permanent Link]
Subject: Re: password policy with regard to application userid
Date: 31 May 2007 18:32:41 -0000 
Here are some points.

0) You need to ask who all needs access to this account? Or is this buried in a 
config file (like the machine or web.configs) that only really needs to be set 
once and otherwise the password is known/accessible just to your and your team? 
Find out the scope. If too many people have it and the account has huge 
access...you want to rotate it regularly. Also, make sure you know if this 
account/application is subject to more stringent requirements for PCI or other 
regulations...that may just outright dictate your policy.

I will assume this is just a buried service password that no one really needs 
to know and is otherwise set once and can be forgotten (potentially) for an 
application that is not otherwise governed by extenuating regulations.

1) If nothing else, document the existence of the access somewhere. That way in 
2 years when something changes and breaks this, you know what was there, blah 
blah blah.

2) Give it a 16+ character alphanumeric/symbols password. You don't need to 
remember this if it is a service account, so complex is not an issue. Go as 
complex as you can.

3) You don't necessarily NEED to change all service accounts every 60 days or 
so, but it is nice to shoot for every 6 months or year or something. I think 
most shops tend to set this very complex, protect who sees the account, and 
then rarely (if ever) changes them. It can be a real pain in the ass and really 
affect application availability if you change passwords every 60 days. Keep the 
pain of changes in mind.

4) Make sure the account only has privileges to do what it needs to do and 
connect what it needs to connect to, and nothing else. This way if it does 
become disclosed or someone can see the password, the account is very limited 
in use. This probably means not making it a Domain User and instead really 
stripping it down. This is an art and can be very painful for shops whose 
developers are not used to this.

That framework should get you started, plus anything else others can add.



<- snip ->
What would be a reasonable password policy with regard to userids used in 
applications?

For example Business Objects needs a system level userid to intergrate with 
active directory. What would the security implications be if this userid's 
password wasn't changed?

Standard users follow a policy in which they have to change their password 
every two months.

Thanks
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Brute force attacks, Manuel Arostegui Ramirez
Next by Date:  multiple dmz traffice passing through single nic, rajiv_dadu
Previous by Thread:  Re: password policy with regard to application userid, Ali, Saqib
Next by Thread:  Brute force attacks, Mohamad Mneimneh
Indexes:  [Date] [Thread] [Top] [All Lists]