Keep in mind, at least with Windows 8 and above, you might have to make sure the database file is “available offline” (by right clicking and selecting the correct option) if it was placed there from another computer. I’m pretty sure KeePass interacts with the files a bit differently and will cause issues if it’s online only.
Freddy From: [email protected] [mailto:[email protected]] On Behalf Of David Lum Sent: Friday, 10 October 2014 1:42 PM To: [email protected] Subject: Re: [NTSysADM] Windows Service account management Yes it will, as you are effectively just using OneDrive as a replication medium. I treat all cloud storage as a replication point as I operate under the assumption all cloud data can dissappear without notice. Critical data I have the original, a local copy (at minimum in a seperate physical device), and a cloud copy. Backups are disk to disk to cloud. Put another way, I use the cloud as protection from a regional event that wipes out my local data and local copies. Dave Lum - [email protected]<mailto:[email protected]> Sent from mobile device, please pardon the brevity. On Oct 9, 2014, at 7:13 PM, Jon Harris <[email protected]<mailto:[email protected]>> wrote: Dave will KeePass installed locally work with the cloud based database? I have been thinking of doing that but my oldness keeps telling me to ignore convenience for safety. Jon > Date: Thu, 9 Oct 2014 19:06:53 -0700 > Subject: Re: [NTSysADM] Windows Service account management > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > > Probably safer than a web/cloud-based service (LastPass, et al) where > the database isn't under your direct control, as long as you have a > good password on the database. > > Kurt > > On Thu, Oct 9, 2014 at 7:00 PM, Dave Lum > <[email protected]<mailto:[email protected]>> wrote: > > LOL –I store mine in Keepass…on my OneDrive. > > > > > > > > From: [email protected]<mailto:[email protected]> > > [mailto:[email protected]] > > On Behalf Of Jon Harris > > Sent: Thursday, October 09, 2014 3:43 PM > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [NTSysADM] Windows Service account management > > > > > > > > I really dislike the idea of storing my passwords and user IDs in the cloud. > > That is why I use KeePass. It would be more convenient out in the cloud but > > just my dislike and distrust of cloud based stuff. Yeah, yeah OLD foggy I > > know. > > > > Jon > > > > > > ________________________________ > > > > From: [email protected]<mailto:[email protected]> > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [NTSysADM] Windows Service account management > > Date: Thu, 9 Oct 2014 15:33:02 +0000 > > > > LastPass runs on all of those platforms and my Kindle :-D > > > > > > > > Actually I can’t vouch for WP because I don’t have one but it’s supported > > and it does run just fine on my RT tablet. > > > > > > > > Also has a level of enterprise support & secure password sharing facility. > > > > > > > > Not a substitute for a full blown on-prem password vaulting solution[1] but > > it can solve a lot of problems > > > > > > > > [1] Which still has some of the inherent shortcomings mentioned in this > > thread but can close a lot of gaps. We have 10’s of thousands of root and > > administrator accounts that are now unique & fully managed. > > > > > > > > From: [email protected]<mailto:[email protected]> > > [mailto:[email protected]] > > On Behalf Of Jon Harris > > Sent: Wednesday, October 08, 2014 4:46 PM > > > > > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [NTSysADM] Windows Service account management > > > > > > > > KeePass does not appear to have a version to work on Windows RT or phones > > YET. I hope they do eventually get there though. > > > > Jon > > > > > >> Date: Wed, 8 Oct 2014 15:00:41 -0700 > >> Subject: Re: [NTSysADM] Windows Service account management > >> From: [email protected]<mailto:[email protected]> > >> To: [email protected]<mailto:[email protected]> > >> > >> Password Safe and Keepass both come in flavors that run on iPhone and > >> Android, as well as Windows and *nix. > >> > >> Kurt > >> > >> On Wed, Oct 8, 2014 at 2:40 PM, James Button > >> <[email protected]<mailto:[email protected]>> wrote: > >> > Yup! Nice concepts > >> > And > >> > 20 chars long - it better be based on a phrase I can remember, or I'll > >> > have to > >> > write it down on something I keep near the system where I logon. > >> > Maybe I can write it as the hint facility > >> > Special characters - yup - definitely needs writing down > >> > Ah! I can have the system remember the password and enter it whenever I > >> > put my > >> > id in the userid panel > >> > > >> > Hey - I'm the sysprog, and I can't ask someone else to fix my lost > >> > password for > >> > me, and management are not going to be happy if I can't fix their > >> > forgotten > >> > password > >> > > >> > Ah! This weeks selection of monthly password updates, where's my jotter > >> > - postit > >> > pad - that will do. > >> > > >> > The above is based on experience from many years as sysprog and security > >> > management techy on a site with mainframes, mini's, comms, network > >> > servers and > >> > PC's. > >> > > >> > And then, having required the consultant's ideas be implemented, > >> > management > >> > wonder why people create back-doors and/or write notes on passwords. > >> > > >> > At least - for most systems, I was allowed to change the password, so > >> > used a > >> > long phrase I could remember, and just wrote down the formula for > >> > selecting the > >> > characters from the phrase. > >> > > >> > Are you sure you will never need to logon either locally, or remotely - > >> > not even > >> > for a restore and update to 'current' status process. > >> > > >> > That said, how about limiting logon attempts to 1 a minute - that will > >> > (hopefully) deal with brute-force attempts. > >> > If possible email alerts about failed logon attempts (at least 2 > >> > userid's - > >> > system manager (techy), their manager, and a 'in-post' id - both bad > >> > password > >> > and not-allowed methods. > >> > > >> > You really want to know about access attempts rather than accessed by > >> > inappropriate persons. > >> > > >> > > >> > JimB > >> > > >> > > >> > ----Original Message----- > >> > From: > >> > [email protected]<mailto:[email protected]> > >> > [mailto:[email protected]] On > >> > Behalf Of Dave Lum > >> > Sent: Wednesday, October 08, 2014 10:17 PM > >> > To: [email protected]<mailto:[email protected]> > >> > Subject: RE: [NTSysADM] Windows Service account management > >> > > >> > Here's what I have so far. Thoughts? > >> > > >> > -- Windows Service Account Policy -- > >> > .Passwords must be > 20 characters in length > >> > .Passwords must be human-unreadable (preferably auto-generated from a > >> > password management tool) requiring upper case alpha, lower case alpha, > >> > numbers AND special characters > >> > .[Optional] If there is a service account management tool that can > >> > automate password control and changes, this would be used > >> > .Service accounts will be in a dedicated OU in Active Directory that has > >> > inheritance disabled to ensure typical domain-wide policies aren't > >> > unintentionally applied > >> > .Service account GPO's will be applied that restrict the ability for > >> > them > >> > to be used like a typical human user account. This includes configuring > >> > the following: > >> > .Disable Interactive logon > >> > .Deny log on locally > >> > .Deny log on through Terminal Services > >> > .Logon restricted to specific machines > >> > .Auditing enable for logon events > >> > .Enable alerting for failed logons > >> > > >> > -- Windows Service Account Management -- > >> > 1.Collect criteria > >> > a.Identify the process or function that requires a service account other > >> > than the BuiltIn Windows accounts > >> > b.Identify the specific servers that this service account needs access > >> > to > >> > c.Determine the level of system access needed (run as batch, log on as > >> > service, etc.) by the service account > >> > 2.Create accounta.Account name should start with "svc. " and be > >> > descriptive > >> > b.Assign a complex password that meets the requirements listed above > >> > c.In the AD properties under the "Account" tab, use the "Log On To" > >> > option > >> > to specify the servers this account has the ability to log on to > >> > d.Description field should contain the application name, process, and or > >> > function > >> > e.Place account into the ServiceAccounts OU > >> > > >> > Dave > >> > > >> >>> > >> >>> On 8 October 2014 21:40, Dave Lum > >> >>> <[email protected]<mailto:[email protected]><mailto:[email protected]>> > >> >>> wrote: > >> >>> > >> >>>> I've been tasked to create documentation on creation and management > >> >>>> of > >> >>>> Windows Service accounts, does anyone here have something I can use > >> >>>> and > >> >>>> modify? > >> >>>> > >> >>>> TIA, > >> >>>> Dave > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>> > >> >>> > >> >>> -- > >> >>> *James Rankin* > >> >>> --------------------- > >> >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The > >> >>> Virtualization > >> >>> Practice Analyst - Desktop Virtualization > >> >>> http://appsensebigot.blogspot.co.uk > >> >>> > >> >>> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> James Rankin > >> >> --------------------- > >> >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > >> >> Practice Analyst - Desktop Virtualization > >> >> http://appsensebigot.blogspot.co.uk > >> >> > >> > > >> > > >> > > >> > > >> > > >> > > >> > >> > > > > > > > > ________________________________ > > > > PG&E is committed to protecting our customers' privacy. > > To learn more, please visit > > http://www.pge.com/about/company/privacy/customer/ > > > > ________________________________ > > Attention: Information contained in this message and or attachments is > > intended only for the recipient(s) named above and may contain confidential > > and or privileged material that is protected under State or Federal law. If > > you are not the intended recipient, any disclosure, copying, distribution or > > action taken on it is prohibited. If you believe you have received this > > email in error, please contact the sender, delete this email and destroy all > > copies. > > ________________________________ NOTICE: This email is confidential. If you are not the nominated recipient, please immediately delete this email, destroy all copies and inform the sender. Australian Maritime Systems Ltd (AMS) prohibits the unauthorised copying or distribution of this email. This email does not necessarily express the views of AMS. AMS does not warrant nor guarantee that this email communication is free from errors, virus, interception or interference.
