RE: [NTSysADM] Windows Service account management

[Tim Evans]

Just be sure not to open it in two different places at the same time. Keepass 
helps with that by writing a separate lock file to the same location the file 
was opened from and will notify that the file is open in other locations or by 
other people.

…Tim

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David Lum
Sent: Thursday, October 09, 2014 8:46 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Windows Service account management

Yes it will, as you are effectively just using OneDrive as a replication medium.

I treat all cloud storage as a replication point as I operate under the 
assumption all cloud data can dissappear without notice. Critical data I have 
the original, a local copy (at minimum in a seperate physical device), and a 
cloud copy. Backups are disk to disk to cloud.

Put another way, I use the cloud as protection from a regional event that wipes 
out my local data and local copies.

Dave Lum - d...@theitgarage.com<mailto:d...@theitgarage.com>

Sent from mobile device, please pardon the brevity.

On Oct 9, 2014, at 7:13 PM, Jon Harris 
<jk.har...@live.com<mailto:jk.har...@live.com>> wrote:
Dave will KeePass installed locally work with the cloud based database?  I have 
been thinking of doing that but my oldness keeps telling me to ignore 
convenience for safety.

Jon

> Date: Thu, 9 Oct 2014 19:06:53 -0700
> Subject: Re: [NTSysADM] Windows Service account management
> From: kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>
> To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
>
> Probably safer than a web/cloud-based service (LastPass, et al) where
> the database isn't under your direct control, as long as you have a
> good password on the database.
>
> Kurt
>
> On Thu, Oct 9, 2014 at 7:00 PM, Dave Lum 
> <l...@ochin.org<mailto:l...@ochin.org>> wrote:
> > LOL –I store mine in Keepass…on my OneDrive.
> >
> >
> >
> > From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
> > [mailto:listsad...@lists.myitforum.com]
> > On Behalf Of Jon Harris
> > Sent: Thursday, October 09, 2014 3:43 PM
> > To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
> > Subject: RE: [NTSysADM] Windows Service account management
> >
> >
> >
> > I really dislike the idea of storing my passwords and user IDs in the cloud.
> > That is why I use KeePass. It would be more convenient out in the cloud but
> > just my dislike and distrust of cloud based stuff. Yeah, yeah OLD foggy I
> > know.
> >
> > Jon
> >
> >
> > ________________________________
> >
> > From: r...@pge.com<mailto:r...@pge.com>
> > To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
> > Subject: RE: [NTSysADM] Windows Service account management
> > Date: Thu, 9 Oct 2014 15:33:02 +0000
> >
> > LastPass runs on all of those platforms and my Kindle :-D
> >
> >
> >
> > Actually I can’t vouch for WP because I don’t have one but it’s supported
> > and it does run just fine on my RT tablet.
> >
> >
> >
> > Also has a level of enterprise support & secure password sharing facility.
> >
> >
> >
> > Not a substitute for a full blown on-prem password vaulting solution[1] but
> > it can solve a lot of problems
> >
> >
> >
> > [1] Which still has some of the inherent shortcomings mentioned in this
> > thread but can close a lot of gaps. We have 10’s of thousands of root and
> > administrator accounts that are now unique & fully managed.
> >
> >
> >
> > From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
> > [mailto:listsad...@lists.myitforum.com]
> > On Behalf Of Jon Harris
> > Sent: Wednesday, October 08, 2014 4:46 PM
> >
> >
> > To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
> > Subject: RE: [NTSysADM] Windows Service account management
> >
> >
> >
> > KeePass does not appear to have a version to work on Windows RT or phones
> > YET. I hope they do eventually get there though.
> >
> > Jon
> >
> >
> >> Date: Wed, 8 Oct 2014 15:00:41 -0700
> >> Subject: Re: [NTSysADM] Windows Service account management
> >> From: kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>
> >> To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
> >>
> >> Password Safe and Keepass both come in flavors that run on iPhone and
> >> Android, as well as Windows and *nix.
> >>
> >> Kurt
> >>
> >> On Wed, Oct 8, 2014 at 2:40 PM, James Button
> >> <jamesbut...@blueyonder.co.uk<mailto:jamesbut...@blueyonder.co.uk>> wrote:
> >> > Yup! Nice concepts
> >> > And
> >> > 20 chars long - it better be based on a phrase I can remember, or I'll
> >> > have to
> >> > write it down on something I keep near the system where I logon.
> >> > Maybe I can write it as the hint facility
> >> > Special characters - yup - definitely needs writing down
> >> > Ah! I can have the system remember the password and enter it whenever I
> >> > put my
> >> > id in the userid panel
> >> >
> >> > Hey - I'm the sysprog, and I can't ask someone else to fix my lost
> >> > password for
> >> > me, and management are not going to be happy if I can't fix their
> >> > forgotten
> >> > password
> >> >
> >> > Ah! This weeks selection of monthly password updates, where's my jotter
> >> > - postit
> >> > pad - that will do.
> >> >
> >> > The above is based on experience from many years as sysprog and security
> >> > management techy on a site with mainframes, mini's, comms, network
> >> > servers and
> >> > PC's.
> >> >
> >> > And then, having required the consultant's ideas be implemented,
> >> > management
> >> > wonder why people create back-doors and/or write notes on passwords.
> >> >
> >> > At least - for most systems, I was allowed to change the password, so
> >> > used a
> >> > long phrase I could remember, and just wrote down the formula for
> >> > selecting the
> >> > characters from the phrase.
> >> >
> >> > Are you sure you will never need to logon either locally, or remotely -
> >> > not even
> >> > for a restore and update to 'current' status process.
> >> >
> >> > That said, how about limiting logon attempts to 1 a minute - that will
> >> > (hopefully) deal with brute-force attempts.
> >> > If possible email alerts about failed logon attempts (at least 2
> >> > userid's -
> >> > system manager (techy), their manager, and a 'in-post' id - both bad
> >> > password
> >> > and not-allowed methods.
> >> >
> >> > You really want to know about access attempts rather than accessed by
> >> > inappropriate persons.
> >> >
> >> >
> >> > JimB
> >> >
> >> >
> >> > ----Original Message-----
> >> > From: 
> >> > listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>
> >> > [mailto:listsad...@lists.myitforum.com] On
> >> > Behalf Of Dave Lum
> >> > Sent: Wednesday, October 08, 2014 10:17 PM
> >> > To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
> >> > Subject: RE: [NTSysADM] Windows Service account management
> >> >
> >> > Here's what I have so far. Thoughts?
> >> >
> >> > -- Windows Service Account Policy --
> >> > .Passwords must be > 20 characters in length
> >> > .Passwords must be human-unreadable (preferably auto-generated from a
> >> > password management tool) requiring upper case alpha, lower case alpha,
> >> > numbers AND special characters
> >> > .[Optional] If there is a service account management tool that can
> >> > automate password control and changes, this would be used
> >> > .Service accounts will be in a dedicated OU in Active Directory that has
> >> > inheritance disabled to ensure typical domain-wide policies aren't
> >> > unintentionally applied
> >> > .Service account GPO's will be applied that restrict the ability for
> >> > them
> >> > to be used like a typical human user account. This includes configuring
> >> > the following:
> >> > .Disable Interactive logon
> >> > .Deny log on locally
> >> > .Deny log on through Terminal Services
> >> > .Logon restricted to specific machines
> >> > .Auditing enable for logon events
> >> > .Enable alerting for failed logons
> >> >
> >> > -- Windows Service Account Management --
> >> > 1.Collect criteria
> >> > a.Identify the process or function that requires a service account other
> >> > than the BuiltIn Windows accounts
> >> > b.Identify the specific servers that this service account needs access
> >> > to
> >> > c.Determine the level of system access needed (run as batch, log on as
> >> > service, etc.) by the service account
> >> > 2.Create accounta.Account name should start with "svc. " and be
> >> > descriptive
> >> > b.Assign a complex password that meets the requirements listed above
> >> > c.In the AD properties under the "Account" tab, use the "Log On To"
> >> > option
> >> > to specify the servers this account has the ability to log on to
> >> > d.Description field should contain the application name, process, and or
> >> > function
> >> > e.Place account into the ServiceAccounts OU
> >> >
> >> > Dave
> >> >
> >> >>>
> >> >>> On 8 October 2014 21:40, Dave Lum
> >> >>> <li...@theitgarage.com<mailto:li...@theitgarage.com><mailto:li...@theitgarage.com>>
> >> >>>  wrote:
> >> >>>
> >> >>>> I've been tasked to create documentation on creation and management
> >> >>>> of
> >> >>>> Windows Service accounts, does anyone here have something I can use
> >> >>>> and
> >> >>>> modify?
> >> >>>>
> >> >>>> TIA,
> >> >>>> Dave
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> *James Rankin*
> >> >>> ---------------------
> >> >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The
> >> >>> Virtualization
> >> >>> Practice Analyst - Desktop Virtualization
> >> >>> http://appsensebigot.blogspot.co.uk
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> James Rankin
> >> >> ---------------------
> >> >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization
> >> >> Practice Analyst - Desktop Virtualization
> >> >> http://appsensebigot.blogspot.co.uk
> >> >>
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
> >
> > ________________________________
> >
> > PG&E is committed to protecting our customers' privacy.
> > To learn more, please visit
> > http://www.pge.com/about/company/privacy/customer/
> >
> > ________________________________
> > Attention: Information contained in this message and or attachments is
> > intended only for the recipient(s) named above and may contain confidential
> > and or privileged material that is protected under State or Federal law. If
> > you are not the intended recipient, any disclosure, copying, distribution or
> > action taken on it is prohibited. If you believe you have received this
> > email in error, please contact the sender, delete this email and destroy all
> > copies.
>
>