Gabrielle,
Our operations have the "password change cycle" scheduled in our Change
Management tool. It's simply a part of the maintenance cycle. But simply
using an entry in Outlook calendar works as well. In the rare occasion that
a system account is forgotten, this is seen by the operators due to an error
entry in the system log files.
Regarding the 45 day period, this comes from a number of government
contracts. Some governments simply follow local standards and as a service
provider, we have to comply. To prevent complete chaos (imagine what would
happen if you use a different scheme for every customer). We chose for the
most challenging contract that still fits our 90 days policy. For us this is
a contract with 45 days. However, if we get a customer that needs a let's
say 40 days period, we would go back to 30 days, simply to stay in pace with
the 90 days.
Regards,
Koos Varkevisser, CISSP, ISSMP | Information Security Officer | GOIS/MSC
Amsterdam
Unisys | Tupolevlaan 1 | 1119NW Schiphol-rijk | +31 20 5263947
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com]
Sent: maandag 9 januari 2006 5:36
To: Varkevisser, Koos; kathy.kirk@prudential.com;
security-management@securityfocus.com
Subject: RE: Service Account Pswd Mgt
Koos....
I have one comment... If you set a system password to expire after x days,
you don't really get a notification of such expiration as you would with a
normal user login, and you can dos yourself if you reboot such a system
(within, say, a normal patching cycle) if the password has expired and has
not been changed before the reboot. How do you handle that?
I'm also wondering where you come up with your 45 day cycle for system
accounts as opposed to 90 for end users? While clearly they're more
important, they're also much more (hopefully) closely held?
G
-----Original Message-----
From: Varkevisser, Koos [mailto:koos.varkevisser@nl.unisys.com]
Sent: Friday, January 06, 2006 7:43 AM
To: kathy.kirk@prudential.com; security-management@securityfocus.com
Subject: RE: Service Account Pswd Mgt
Kathy,
Defining a policy is not the hardest thing. Basically depending on the
size of the organization, it's culture, risks and asset values. A common
standard is 8 digit strong passwords with a 90 days validity for user
accounts will survive any audit below "National Security". 12 digit
strong pw's for sysadmin accounts with a lifetime of 45 days also is
considered sufficient. Enforcing this is not a problem anymore as well.
Simply set the systems password lifecycle accordingly.
The real problem lies in the fact that the average person has 20!
Userid/password combinations to remember, including pin numbers and
private (mail etc.) accounts. Changing accounts often will impose a
security risk rather then removing one.
There is plenty to find regarding solving that issue as well, but it for
sure is more work. Think: Single signon solutions such as radius and
ACE. Password phrases in stead of passwords ("no more password changes
this month please" becomes "nmpctmp" or, even better "NmpCtmP). Use 4
for a and 3 for e, things like that.
Hope this helps.
Regards,
Koos Varkevisser, CISSP, ISSMP | Information Security Officer |
GOIS/MSC
Amsterdam
Unisys | Tupolevlaan 1 | 1119NW Schiphol-rijk | +31 20 5263947
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its
attachments from all computers.
-----Original Message-----
From: kathy.kirk@prudential.com [mailto:kathy.kirk@prudential.com]
Sent: donderdag 5 januari 2006 22:50
To: security-management@securityfocus.com
Subject: Service Account Pswd Mgt
I've been asked how managing service accounts works in other
organizations. What is your policy for changing Service Account
passwords? Is it based on an event (e.g., administrator leaves the
company) and or a time requirement (e.g., every 90 days). If your
organization does change Service Account passwords, is it consistent
across the organization? How do you enforce your policy?
By Service Account, I'm referring to system IDs used to perform backups,
automate FTPs, run applications, jobs, scripts, etc.
thanks,
kathy
-----------------------------------------
This e-mail is sent by a law firm and contains information that may
be privileged and confidential. If you are not the intended
recipient, please delete the e-mail and notify us immediately.
smime.p7s
Description: S/MIME cryptographic signature
