Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Service Account Pswd Mgt

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: Service Account Pswd Mgt
Date: Fri, 6 Jan 2006 08:19:34 -0500 
 


-----Original Message-----
From: kathy.kirk@prudential.com [mailto:kathy.kirk@prudential.com] 
Sent: Thursday, January 05, 2006 4:50 PM
To: security-management@securityfocus.com
Subject: Service Account Pswd Mgt

I've been asked how managing service accounts works in other 
organizations.
What is your policy for changing Service Account passwords? 
Is it based on
an event (e.g., administrator leaves the company) and or a 
time requirement
(e.g., every 90 days). If your organization does change 
Service Account
passwords, is it consistent across the organization? How do 
you enforce
your policy?

By Service Account, I'm referring to system IDs used to 
perform backups,
automate FTPs, run applications, jobs, scripts, etc.

thanks,
kathy


Our policy for creating service account passwords is at least 12
randomly selected characters, requiring lowercase, uppercase, numbers,
and characters. We are a small company, and in general only system
administrators know service account passwords. Because of this, our
policy is to change them when someone who knows what they are leaves or
there is the possibility that one has been disclosed (however that may
be determined).

With service accounts there is really no reason why the password can't
be extremely strong, since regular users don't need to use them. Strong
passwords negate the need for frequent changing, unless they are passed
about or stored in clear text or something like that. And as always,
<generic disclaimer> your policy should reflect the amount of risk
involved in having that service compromised. </generic disclaimer>

Derick Anderson
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  38a-1 Compliance Management, Brad Bemis
Next by Date:  RE: Service Account Pswd Mgt, Glen Baker
Previous by Thread:  RE: Service Account Pswd Mgt, Alex Bermudez
Next by Thread:  Re: Service Account Pswd Mgt, Fred Cohen
Indexes:  [Date] [Thread] [Top] [All Lists]