Password Safe and Keepass both come in flavors that run on iPhone and Android, as well as Windows and *nix.
Kurt On Wed, Oct 8, 2014 at 2:40 PM, James Button <[email protected]> wrote: > Yup! Nice concepts > And > 20 chars long - it better be based on a phrase I can remember, or I'll have to > write it down on something I keep near the system where I logon. > Maybe I can write it as the hint facility > Special characters - yup - definitely needs writing down > Ah! I can have the system remember the password and enter it whenever I put my > id in the userid panel > > Hey - I'm the sysprog, and I can't ask someone else to fix my lost password > for > me, and management are not going to be happy if I can't fix their forgotten > password > > Ah! This weeks selection of monthly password updates, where's my jotter - > postit > pad - that will do. > > The above is based on experience from many years as sysprog and security > management techy on a site with mainframes, mini's, comms, network servers and > PC's. > > And then, having required the consultant's ideas be implemented, management > wonder why people create back-doors and/or write notes on passwords. > > At least - for most systems, I was allowed to change the password, so used a > long phrase I could remember, and just wrote down the formula for selecting > the > characters from the phrase. > > Are you sure you will never need to logon either locally, or remotely - not > even > for a restore and update to 'current' status process. > > That said, how about limiting logon attempts to 1 a minute - that will > (hopefully) deal with brute-force attempts. > If possible email alerts about failed logon attempts (at least 2 userid's - > system manager (techy), their manager, and a 'in-post' id - both bad > password > and not-allowed methods. > > You really want to know about access attempts rather than accessed by > inappropriate persons. > > > JimB > > > ----Original Message----- > From: [email protected] [mailto:[email protected]] > On > Behalf Of Dave Lum > Sent: Wednesday, October 08, 2014 10:17 PM > To: [email protected] > Subject: RE: [NTSysADM] Windows Service account management > > Here's what I have so far. Thoughts? > > -- Windows Service Account Policy -- > .Passwords must be > 20 characters in length > .Passwords must be human-unreadable (preferably auto-generated from a > password management tool) requiring upper case alpha, lower case alpha, > numbers AND special characters > .[Optional] If there is a service account management tool that can > automate password control and changes, this would be used > .Service accounts will be in a dedicated OU in Active Directory that has > inheritance disabled to ensure typical domain-wide policies aren't > unintentionally applied > .Service account GPO's will be applied that restrict the ability for them > to be used like a typical human user account. This includes configuring > the following: > .Disable Interactive logon > .Deny log on locally > .Deny log on through Terminal Services > .Logon restricted to specific machines > .Auditing enable for logon events > .Enable alerting for failed logons > > -- Windows Service Account Management -- > 1.Collect criteria > a.Identify the process or function that requires a service account other > than the BuiltIn Windows accounts > b.Identify the specific servers that this service account needs access to > c.Determine the level of system access needed (run as batch, log on as > service, etc.) by the service account > 2.Create accounta.Account name should start with "svc. " and be descriptive > b.Assign a complex password that meets the requirements listed above > c.In the AD properties under the "Account" tab, use the "Log On To" option > to specify the servers this account has the ability to log on to > d.Description field should contain the application name, process, and or > function > e.Place account into the ServiceAccounts OU > > Dave > >>> >>> On 8 October 2014 21:40, Dave Lum >>> <[email protected]<mailto:[email protected]>> wrote: >>> >>>> I've been tasked to create documentation on creation and management of >>>> Windows Service accounts, does anyone here have something I can use >>>> and >>>> modify? >>>> >>>> TIA, >>>> Dave >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> *James Rankin* >>> --------------------- >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization >>> Practice Analyst - Desktop Virtualization >>> http://appsensebigot.blogspot.co.uk >>> >>> >> >> >> >> >> >> >> -- >> James Rankin >> --------------------- >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization >> Practice Analyst - Desktop Virtualization >> http://appsensebigot.blogspot.co.uk >> > > > > > >
