Yup! Nice concepts And 20 chars long - it better be based on a phrase I can remember, or I'll have to write it down on something I keep near the system where I logon. Maybe I can write it as the hint facility Special characters - yup - definitely needs writing down Ah! I can have the system remember the password and enter it whenever I put my id in the userid panel
Hey - I'm the sysprog, and I can't ask someone else to fix my lost password for me, and management are not going to be happy if I can't fix their forgotten password Ah! This weeks selection of monthly password updates, where's my jotter - postit pad - that will do. The above is based on experience from many years as sysprog and security management techy on a site with mainframes, mini's, comms, network servers and PC's. And then, having required the consultant's ideas be implemented, management wonder why people create back-doors and/or write notes on passwords. At least - for most systems, I was allowed to change the password, so used a long phrase I could remember, and just wrote down the formula for selecting the characters from the phrase. Are you sure you will never need to logon either locally, or remotely - not even for a restore and update to 'current' status process. That said, how about limiting logon attempts to 1 a minute - that will (hopefully) deal with brute-force attempts. If possible email alerts about failed logon attempts (at least 2 userid's - system manager (techy), their manager, and a 'in-post' id - both bad password and not-allowed methods. You really want to know about access attempts rather than accessed by inappropriate persons. JimB ----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Wednesday, October 08, 2014 10:17 PM To: [email protected] Subject: RE: [NTSysADM] Windows Service account management Here's what I have so far. Thoughts? -- Windows Service Account Policy -- .Passwords must be > 20 characters in length .Passwords must be human-unreadable (preferably auto-generated from a password management tool) requiring upper case alpha, lower case alpha, numbers AND special characters .[Optional] If there is a service account management tool that can automate password control and changes, this would be used .Service accounts will be in a dedicated OU in Active Directory that has inheritance disabled to ensure typical domain-wide policies aren't unintentionally applied .Service account GPO's will be applied that restrict the ability for them to be used like a typical human user account. This includes configuring the following: .Disable Interactive logon .Deny log on locally .Deny log on through Terminal Services .Logon restricted to specific machines .Auditing enable for logon events .Enable alerting for failed logons -- Windows Service Account Management -- 1.Collect criteria a.Identify the process or function that requires a service account other than the BuiltIn Windows accounts b.Identify the specific servers that this service account needs access to c.Determine the level of system access needed (run as batch, log on as service, etc.) by the service account 2.Create accounta.Account name should start with "svc. " and be descriptive b.Assign a complex password that meets the requirements listed above c.In the AD properties under the "Account" tab, use the "Log On To" option to specify the servers this account has the ability to log on to d.Description field should contain the application name, process, and or function e.Place account into the ServiceAccounts OU Dave >> >> On 8 October 2014 21:40, Dave Lum >> <[email protected]<mailto:[email protected]>> wrote: >> >>> I've been tasked to create documentation on creation and management of >>> Windows Service accounts, does anyone here have something I can use >>> and >>> modify? >>> >>> TIA, >>> Dave >>> >>> >>> >>> >>> >> >> >> -- >> *James Rankin* >> --------------------- >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization >> Practice Analyst - Desktop Virtualization >> http://appsensebigot.blogspot.co.uk >> >> > > > > > > > -- > James Rankin > --------------------- > RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > Practice Analyst - Desktop Virtualization > http://appsensebigot.blogspot.co.uk >
