Probably safer than a web/cloud-based service (LastPass, et al) where the database isn't under your direct control, as long as you have a good password on the database.
Kurt On Thu, Oct 9, 2014 at 7:00 PM, Dave Lum <[email protected]> wrote: > LOL –I store mine in Keepass…on my OneDrive. > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Jon Harris > Sent: Thursday, October 09, 2014 3:43 PM > To: [email protected] > Subject: RE: [NTSysADM] Windows Service account management > > > > I really dislike the idea of storing my passwords and user IDs in the cloud. > That is why I use KeePass. It would be more convenient out in the cloud but > just my dislike and distrust of cloud based stuff. Yeah, yeah OLD foggy I > know. > > Jon > > > ________________________________ > > From: [email protected] > To: [email protected] > Subject: RE: [NTSysADM] Windows Service account management > Date: Thu, 9 Oct 2014 15:33:02 +0000 > > LastPass runs on all of those platforms and my Kindle :-D > > > > Actually I can’t vouch for WP because I don’t have one but it’s supported > and it does run just fine on my RT tablet. > > > > Also has a level of enterprise support & secure password sharing facility. > > > > Not a substitute for a full blown on-prem password vaulting solution[1] but > it can solve a lot of problems > > > > [1] Which still has some of the inherent shortcomings mentioned in this > thread but can close a lot of gaps. We have 10’s of thousands of root and > administrator accounts that are now unique & fully managed. > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Jon Harris > Sent: Wednesday, October 08, 2014 4:46 PM > > > To: [email protected] > Subject: RE: [NTSysADM] Windows Service account management > > > > KeePass does not appear to have a version to work on Windows RT or phones > YET. I hope they do eventually get there though. > > Jon > > >> Date: Wed, 8 Oct 2014 15:00:41 -0700 >> Subject: Re: [NTSysADM] Windows Service account management >> From: [email protected] >> To: [email protected] >> >> Password Safe and Keepass both come in flavors that run on iPhone and >> Android, as well as Windows and *nix. >> >> Kurt >> >> On Wed, Oct 8, 2014 at 2:40 PM, James Button >> <[email protected]> wrote: >> > Yup! Nice concepts >> > And >> > 20 chars long - it better be based on a phrase I can remember, or I'll >> > have to >> > write it down on something I keep near the system where I logon. >> > Maybe I can write it as the hint facility >> > Special characters - yup - definitely needs writing down >> > Ah! I can have the system remember the password and enter it whenever I >> > put my >> > id in the userid panel >> > >> > Hey - I'm the sysprog, and I can't ask someone else to fix my lost >> > password for >> > me, and management are not going to be happy if I can't fix their >> > forgotten >> > password >> > >> > Ah! This weeks selection of monthly password updates, where's my jotter >> > - postit >> > pad - that will do. >> > >> > The above is based on experience from many years as sysprog and security >> > management techy on a site with mainframes, mini's, comms, network >> > servers and >> > PC's. >> > >> > And then, having required the consultant's ideas be implemented, >> > management >> > wonder why people create back-doors and/or write notes on passwords. >> > >> > At least - for most systems, I was allowed to change the password, so >> > used a >> > long phrase I could remember, and just wrote down the formula for >> > selecting the >> > characters from the phrase. >> > >> > Are you sure you will never need to logon either locally, or remotely - >> > not even >> > for a restore and update to 'current' status process. >> > >> > That said, how about limiting logon attempts to 1 a minute - that will >> > (hopefully) deal with brute-force attempts. >> > If possible email alerts about failed logon attempts (at least 2 >> > userid's - >> > system manager (techy), their manager, and a 'in-post' id - both bad >> > password >> > and not-allowed methods. >> > >> > You really want to know about access attempts rather than accessed by >> > inappropriate persons. >> > >> > >> > JimB >> > >> > >> > ----Original Message----- >> > From: [email protected] >> > [mailto:[email protected]] On >> > Behalf Of Dave Lum >> > Sent: Wednesday, October 08, 2014 10:17 PM >> > To: [email protected] >> > Subject: RE: [NTSysADM] Windows Service account management >> > >> > Here's what I have so far. Thoughts? >> > >> > -- Windows Service Account Policy -- >> > .Passwords must be > 20 characters in length >> > .Passwords must be human-unreadable (preferably auto-generated from a >> > password management tool) requiring upper case alpha, lower case alpha, >> > numbers AND special characters >> > .[Optional] If there is a service account management tool that can >> > automate password control and changes, this would be used >> > .Service accounts will be in a dedicated OU in Active Directory that has >> > inheritance disabled to ensure typical domain-wide policies aren't >> > unintentionally applied >> > .Service account GPO's will be applied that restrict the ability for >> > them >> > to be used like a typical human user account. This includes configuring >> > the following: >> > .Disable Interactive logon >> > .Deny log on locally >> > .Deny log on through Terminal Services >> > .Logon restricted to specific machines >> > .Auditing enable for logon events >> > .Enable alerting for failed logons >> > >> > -- Windows Service Account Management -- >> > 1.Collect criteria >> > a.Identify the process or function that requires a service account other >> > than the BuiltIn Windows accounts >> > b.Identify the specific servers that this service account needs access >> > to >> > c.Determine the level of system access needed (run as batch, log on as >> > service, etc.) by the service account >> > 2.Create accounta.Account name should start with "svc. " and be >> > descriptive >> > b.Assign a complex password that meets the requirements listed above >> > c.In the AD properties under the "Account" tab, use the "Log On To" >> > option >> > to specify the servers this account has the ability to log on to >> > d.Description field should contain the application name, process, and or >> > function >> > e.Place account into the ServiceAccounts OU >> > >> > Dave >> > >> >>> >> >>> On 8 October 2014 21:40, Dave Lum >> >>> <[email protected]<mailto:[email protected]>> wrote: >> >>> >> >>>> I've been tasked to create documentation on creation and management >> >>>> of >> >>>> Windows Service accounts, does anyone here have something I can use >> >>>> and >> >>>> modify? >> >>>> >> >>>> TIA, >> >>>> Dave >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >>> -- >> >>> *James Rankin* >> >>> --------------------- >> >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The >> >>> Virtualization >> >>> Practice Analyst - Desktop Virtualization >> >>> http://appsensebigot.blogspot.co.uk >> >>> >> >>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> James Rankin >> >> --------------------- >> >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization >> >> Practice Analyst - Desktop Virtualization >> >> http://appsensebigot.blogspot.co.uk >> >> >> > >> > >> > >> > >> > >> > >> >> > > > > ________________________________ > > PG&E is committed to protecting our customers' privacy. > To learn more, please visit > http://www.pge.com/about/company/privacy/customer/ > > ________________________________ > Attention: Information contained in this message and or attachments is > intended only for the recipient(s) named above and may contain confidential > and or privileged material that is protected under State or Federal law. If > you are not the intended recipient, any disclosure, copying, distribution or > action taken on it is prohibited. If you believe you have received this > email in error, please contact the sender, delete this email and destroy all > copies.
