Koos....
I have one comment... If you set a system password to expire after x
days, you don't really get a notification of such expiration as you
would with a normal user login, and you can dos yourself if you reboot
such a system (within, say, a normal patching cycle) if the password has
expired and has not been changed before the reboot. How do you handle
that?
I'm also wondering where you come up with your 45 day cycle for system
accounts as opposed to 90 for end users? While clearly they're more
important, they're also much more (hopefully) closely held?
G
-----Original Message-----
From: Varkevisser, Koos [mailto:koos.varkevisser@nl.unisys.com]
Sent: Friday, January 06, 2006 7:43 AM
To: kathy.kirk@prudential.com; security-management@securityfocus.com
Subject: RE: Service Account Pswd Mgt
Kathy,
Defining a policy is not the hardest thing. Basically depending on the
size of the organization, it's culture, risks and asset values. A common
standard is 8 digit strong passwords with a 90 days validity for user
accounts will survive any audit below "National Security". 12 digit
strong pw's for sysadmin accounts with a lifetime of 45 days also is
considered sufficient. Enforcing this is not a problem anymore as well.
Simply set the systems password lifecycle accordingly.
The real problem lies in the fact that the average person has 20!
Userid/password combinations to remember, including pin numbers and
private (mail etc.) accounts. Changing accounts often will impose a
security risk rather then removing one.
There is plenty to find regarding solving that issue as well, but it for
sure is more work. Think: Single signon solutions such as radius and
ACE. Password phrases in stead of passwords ("no more password changes
this month please" becomes "nmpctmp" or, even better "NmpCtmP). Use 4
for a and 3 for e, things like that.
Hope this helps.
Regards,
Koos Varkevisser, CISSP, ISSMP | Information Security Officer |
GOIS/MSC
Amsterdam
Unisys | Tupolevlaan 1 | 1119NW Schiphol-rijk | +31 20 5263947
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its
attachments from all computers.
-----Original Message-----
From: kathy.kirk@prudential.com [mailto:kathy.kirk@prudential.com]
Sent: donderdag 5 januari 2006 22:50
To: security-management@securityfocus.com
Subject: Service Account Pswd Mgt
I've been asked how managing service accounts works in other
organizations. What is your policy for changing Service Account
passwords? Is it based on an event (e.g., administrator leaves the
company) and or a time requirement (e.g., every 90 days). If your
organization does change Service Account passwords, is it consistent
across the organization? How do you enforce your policy?
By Service Account, I'm referring to system IDs used to perform backups,
automate FTPs, run applications, jobs, scripts, etc.
thanks,
kathy
-----------------------------------------
This e-mail is sent by a law firm and contains information that may
be privileged and confidential. If you are not the intended
recipient, please delete the e-mail and notify us immediately.
