LOL -I store mine in Keepass...on my OneDrive. From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Thursday, October 09, 2014 3:43 PM To: [email protected] Subject: RE: [NTSysADM] Windows Service account management
I really dislike the idea of storing my passwords and user IDs in the cloud. That is why I use KeePass. It would be more convenient out in the cloud but just my dislike and distrust of cloud based stuff. Yeah, yeah OLD foggy I know. Jon ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Windows Service account management Date: Thu, 9 Oct 2014 15:33:02 +0000 LastPass runs on all of those platforms and my Kindle :-D Actually I can't vouch for WP because I don't have one but it's supported and it does run just fine on my RT tablet. Also has a level of enterprise support & secure password sharing facility. Not a substitute for a full blown on-prem password vaulting solution[1] but it can solve a lot of problems [1] Which still has some of the inherent shortcomings mentioned in this thread but can close a lot of gaps. We have 10's of thousands of root and administrator accounts that are now unique & fully managed. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jon Harris Sent: Wednesday, October 08, 2014 4:46 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Windows Service account management KeePass does not appear to have a version to work on Windows RT or phones YET. I hope they do eventually get there though. Jon > Date: Wed, 8 Oct 2014 15:00:41 -0700 > Subject: Re: [NTSysADM] Windows Service account management > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > > Password Safe and Keepass both come in flavors that run on iPhone and > Android, as well as Windows and *nix. > > Kurt > > On Wed, Oct 8, 2014 at 2:40 PM, James Button > <[email protected]<mailto:[email protected]>> wrote: > > Yup! Nice concepts > > And > > 20 chars long - it better be based on a phrase I can remember, or I'll have > > to > > write it down on something I keep near the system where I logon. > > Maybe I can write it as the hint facility > > Special characters - yup - definitely needs writing down > > Ah! I can have the system remember the password and enter it whenever I put > > my > > id in the userid panel > > > > Hey - I'm the sysprog, and I can't ask someone else to fix my lost password > > for > > me, and management are not going to be happy if I can't fix their forgotten > > password > > > > Ah! This weeks selection of monthly password updates, where's my jotter - > > postit > > pad - that will do. > > > > The above is based on experience from many years as sysprog and security > > management techy on a site with mainframes, mini's, comms, network servers > > and > > PC's. > > > > And then, having required the consultant's ideas be implemented, management > > wonder why people create back-doors and/or write notes on passwords. > > > > At least - for most systems, I was allowed to change the password, so used a > > long phrase I could remember, and just wrote down the formula for selecting > > the > > characters from the phrase. > > > > Are you sure you will never need to logon either locally, or remotely - not > > even > > for a restore and update to 'current' status process. > > > > That said, how about limiting logon attempts to 1 a minute - that will > > (hopefully) deal with brute-force attempts. > > If possible email alerts about failed logon attempts (at least 2 userid's - > > system manager (techy), their manager, and a 'in-post' id - both bad > > password > > and not-allowed methods. > > > > You really want to know about access attempts rather than accessed by > > inappropriate persons. > > > > > > JimB > > > > > > ----Original Message----- > > From: [email protected]<mailto:[email protected]> > > [mailto:[email protected]] On > > Behalf Of Dave Lum > > Sent: Wednesday, October 08, 2014 10:17 PM > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [NTSysADM] Windows Service account management > > > > Here's what I have so far. Thoughts? > > > > -- Windows Service Account Policy -- > > .Passwords must be > 20 characters in length > > .Passwords must be human-unreadable (preferably auto-generated from a > > password management tool) requiring upper case alpha, lower case alpha, > > numbers AND special characters > > .[Optional] If there is a service account management tool that can > > automate password control and changes, this would be used > > .Service accounts will be in a dedicated OU in Active Directory that has > > inheritance disabled to ensure typical domain-wide policies aren't > > unintentionally applied > > .Service account GPO's will be applied that restrict the ability for them > > to be used like a typical human user account. This includes configuring > > the following: > > .Disable Interactive logon > > .Deny log on locally > > .Deny log on through Terminal Services > > .Logon restricted to specific machines > > .Auditing enable for logon events > > .Enable alerting for failed logons > > > > -- Windows Service Account Management -- > > 1.Collect criteria > > a.Identify the process or function that requires a service account other > > than the BuiltIn Windows accounts > > b.Identify the specific servers that this service account needs access to > > c.Determine the level of system access needed (run as batch, log on as > > service, etc.) by the service account > > 2.Create accounta.Account name should start with "svc. " and be descriptive > > b.Assign a complex password that meets the requirements listed above > > c.In<https://urldefense.proofpoint.com/v1/url?u=http://c.in/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=bd1278a5489317d1a091812e6a794638939c0e030173b06d8d0e0a9020b04d63> > > the AD properties under the "Account" tab, use the "Log On To" option > > to specify the servers this account has the ability to log on to > > d.Description field should contain the application name, process, and or > > function > > e.Place account into the ServiceAccounts OU > > > > Dave > > > >>> > >>> On 8 October 2014 21:40, Dave Lum > >>> <[email protected]<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]>>> > >>> wrote: > >>> > >>>> I've been tasked to create documentation on creation and management of > >>>> Windows Service accounts, does anyone here have something I can use > >>>> and > >>>> modify? > >>>> > >>>> TIA, > >>>> Dave > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> -- > >>> *James Rankin* > >>> --------------------- > >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > >>> Practice Analyst - Desktop Virtualization > >>> http://appsensebigot.blogspot.co.uk<https://urldefense.proofpoint.com/v1/url?u=http://appsensebigot.blogspot.co.uk/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=3d46d8ec934ae065120b540c58d40dc5ec4e48fa2c9a5a1274a2ec2232e6d791> > >>> > >>> > >> > >> > >> > >> > >> > >> > >> -- > >> James Rankin > >> --------------------- > >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > >> Practice Analyst - Desktop Virtualization > >> http://appsensebigot.blogspot.co.uk<https://urldefense.proofpoint.com/v1/url?u=http://appsensebigot.blogspot.co.uk/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=3d46d8ec934ae065120b540c58d40dc5ec4e48fa2c9a5a1274a2ec2232e6d791> > >> > > > > > > > > > > > > > > ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies.
