KeePass does not appear to have a version to work on Windows RT or phones YET.
I hope they do eventually get there though.
Jon
> Date: Wed, 8 Oct 2014 15:00:41 -0700
> Subject: Re: [NTSysADM] Windows Service account management
> From: [email protected]
> To: [email protected]
>
> Password Safe and Keepass both come in flavors that run on iPhone and
> Android, as well as Windows and *nix.
>
> Kurt
>
> On Wed, Oct 8, 2014 at 2:40 PM, James Button
> <[email protected]> wrote:
> > Yup! Nice concepts
> > And
> > 20 chars long - it better be based on a phrase I can remember, or I'll have
> > to
> > write it down on something I keep near the system where I logon.
> > Maybe I can write it as the hint facility
> > Special characters - yup - definitely needs writing down
> > Ah! I can have the system remember the password and enter it whenever I put
> > my
> > id in the userid panel
> >
> > Hey - I'm the sysprog, and I can't ask someone else to fix my lost password
> > for
> > me, and management are not going to be happy if I can't fix their forgotten
> > password
> >
> > Ah! This weeks selection of monthly password updates, where's my jotter -
> > postit
> > pad - that will do.
> >
> > The above is based on experience from many years as sysprog and security
> > management techy on a site with mainframes, mini's, comms, network servers
> > and
> > PC's.
> >
> > And then, having required the consultant's ideas be implemented, management
> > wonder why people create back-doors and/or write notes on passwords.
> >
> > At least - for most systems, I was allowed to change the password, so used a
> > long phrase I could remember, and just wrote down the formula for selecting
> > the
> > characters from the phrase.
> >
> > Are you sure you will never need to logon either locally, or remotely - not
> > even
> > for a restore and update to 'current' status process.
> >
> > That said, how about limiting logon attempts to 1 a minute - that will
> > (hopefully) deal with brute-force attempts.
> > If possible email alerts about failed logon attempts (at least 2 userid's -
> > system manager (techy), their manager, and a 'in-post' id - both bad
> > password
> > and not-allowed methods.
> >
> > You really want to know about access attempts rather than accessed by
> > inappropriate persons.
> >
> >
> > JimB
> >
> >
> > ----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On
> > Behalf Of Dave Lum
> > Sent: Wednesday, October 08, 2014 10:17 PM
> > To: [email protected]
> > Subject: RE: [NTSysADM] Windows Service account management
> >
> > Here's what I have so far. Thoughts?
> >
> > -- Windows Service Account Policy --
> > .Passwords must be > 20 characters in length
> > .Passwords must be human-unreadable (preferably auto-generated from a
> > password management tool) requiring upper case alpha, lower case alpha,
> > numbers AND special characters
> > .[Optional] If there is a service account management tool that can
> > automate password control and changes, this would be used
> > .Service accounts will be in a dedicated OU in Active Directory that has
> > inheritance disabled to ensure typical domain-wide policies aren't
> > unintentionally applied
> > .Service account GPO's will be applied that restrict the ability for them
> > to be used like a typical human user account. This includes configuring
> > the following:
> > .Disable Interactive logon
> > .Deny log on locally
> > .Deny log on through Terminal Services
> > .Logon restricted to specific machines
> > .Auditing enable for logon events
> > .Enable alerting for failed logons
> >
> > -- Windows Service Account Management --
> > 1.Collect criteria
> > a.Identify the process or function that requires a service account other
> > than the BuiltIn Windows accounts
> > b.Identify the specific servers that this service account needs access to
> > c.Determine the level of system access needed (run as batch, log on as
> > service, etc.) by the service account
> > 2.Create accounta.Account name should start with "svc. " and be descriptive
> > b.Assign a complex password that meets the requirements listed above
> > c.In the AD properties under the "Account" tab, use the "Log On To" option
> > to specify the servers this account has the ability to log on to
> > d.Description field should contain the application name, process, and or
> > function
> > e.Place account into the ServiceAccounts OU
> >
> > Dave
> >
> >>>
> >>> On 8 October 2014 21:40, Dave Lum
> >>> <[email protected]<mailto:[email protected]>> wrote:
> >>>
> >>>> I've been tasked to create documentation on creation and management of
> >>>> Windows Service accounts, does anyone here have something I can use
> >>>> and
> >>>> modify?
> >>>>
> >>>> TIA,
> >>>> Dave
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> *James Rankin*
> >>> ---------------------
> >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization
> >>> Practice Analyst - Desktop Virtualization
> >>> http://appsensebigot.blogspot.co.uk
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> James Rankin
> >> ---------------------
> >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization
> >> Practice Analyst - Desktop Virtualization
> >> http://appsensebigot.blogspot.co.uk
> >>
> >
> >
> >
> >
> >
> >
>
>
