There are multiple options for LastPass including standalone and MFA. I found it was a lot more flexible for personal use. YMMV. They also don't store your passwords in the cloud, read up on the cryptography involved if interested.
I repeat- "Not a substitute for a full blown on-prem password vaulting solution" From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Thursday, October 09, 2014 3:43 PM To: [email protected] Subject: RE: [NTSysADM] Windows Service account management I really dislike the idea of storing my passwords and user IDs in the cloud. That is why I use KeePass. It would be more convenient out in the cloud but just my dislike and distrust of cloud based stuff. Yeah, yeah OLD foggy I know. Jon ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Windows Service account management Date: Thu, 9 Oct 2014 15:33:02 +0000 LastPass runs on all of those platforms and my Kindle :-D Actually I can't vouch for WP because I don't have one but it's supported and it does run just fine on my RT tablet. Also has a level of enterprise support & secure password sharing facility. Not a substitute for a full blown on-prem password vaulting solution[1] but it can solve a lot of problems [1] Which still has some of the inherent shortcomings mentioned in this thread but can close a lot of gaps. We have 10's of thousands of root and administrator accounts that are now unique & fully managed. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jon Harris Sent: Wednesday, October 08, 2014 4:46 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Windows Service account management KeePass does not appear to have a version to work on Windows RT or phones YET. I hope they do eventually get there though. Jon > Date: Wed, 8 Oct 2014 15:00:41 -0700 > Subject: Re: [NTSysADM] Windows Service account management > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > > Password Safe and Keepass both come in flavors that run on iPhone and > Android, as well as Windows and *nix. > > Kurt > > On Wed, Oct 8, 2014 at 2:40 PM, James Button > <[email protected]<mailto:[email protected]>> wrote: > > Yup! Nice concepts > > And > > 20 chars long - it better be based on a phrase I can remember, or I'll have > > to > > write it down on something I keep near the system where I logon. > > Maybe I can write it as the hint facility > > Special characters - yup - definitely needs writing down > > Ah! I can have the system remember the password and enter it whenever I put > > my > > id in the userid panel > > > > Hey - I'm the sysprog, and I can't ask someone else to fix my lost password > > for > > me, and management are not going to be happy if I can't fix their forgotten > > password > > > > Ah! This weeks selection of monthly password updates, where's my jotter - > > postit > > pad - that will do. > > > > The above is based on experience from many years as sysprog and security > > management techy on a site with mainframes, mini's, comms, network servers > > and > > PC's. > > > > And then, having required the consultant's ideas be implemented, management > > wonder why people create back-doors and/or write notes on passwords. > > > > At least - for most systems, I was allowed to change the password, so used a > > long phrase I could remember, and just wrote down the formula for selecting > > the > > characters from the phrase. > > > > Are you sure you will never need to logon either locally, or remotely - not > > even > > for a restore and update to 'current' status process. > > > > That said, how about limiting logon attempts to 1 a minute - that will > > (hopefully) deal with brute-force attempts. > > If possible email alerts about failed logon attempts (at least 2 userid's - > > system manager (techy), their manager, and a 'in-post' id - both bad > > password > > and not-allowed methods. > > > > You really want to know about access attempts rather than accessed by > > inappropriate persons. > > > > > > JimB > > > > > > ----Original Message----- > > From: [email protected]<mailto:[email protected]> > > [mailto:[email protected]] On > > Behalf Of Dave Lum > > Sent: Wednesday, October 08, 2014 10:17 PM > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [NTSysADM] Windows Service account management > > > > Here's what I have so far. Thoughts? > > > > -- Windows Service Account Policy -- > > .Passwords must be > 20 characters in length > > .Passwords must be human-unreadable (preferably auto-generated from a > > password management tool) requiring upper case alpha, lower case alpha, > > numbers AND special characters > > .[Optional] If there is a service account management tool that can > > automate password control and changes, this would be used > > .Service accounts will be in a dedicated OU in Active Directory that has > > inheritance disabled to ensure typical domain-wide policies aren't > > unintentionally applied > > .Service account GPO's will be applied that restrict the ability for them > > to be used like a typical human user account. This includes configuring > > the following: > > .Disable Interactive logon > > .Deny log on locally > > .Deny log on through Terminal Services > > .Logon restricted to specific machines > > .Auditing enable for logon events > > .Enable alerting for failed logons > > > > -- Windows Service Account Management -- > > 1.Collect criteria > > a.Identify the process or function that requires a service account other > > than the BuiltIn Windows accounts > > b.Identify the specific servers that this service account needs access to > > c.Determine the level of system access needed (run as batch, log on as > > service, etc.) by the service account > > 2.Create accounta.Account name should start with "svc. " and be descriptive > > b.Assign a complex password that meets the requirements listed above > > c.In<https://urldefense.proofpoint.com/v1/url?u=http://c.in/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=bd1278a5489317d1a091812e6a794638939c0e030173b06d8d0e0a9020b04d63> > > the AD properties under the "Account" tab, use the "Log On To" option > > to specify the servers this account has the ability to log on to > > d.Description field should contain the application name, process, and or > > function > > e.Place account into the ServiceAccounts OU > > > > Dave > > > >>> > >>> On 8 October 2014 21:40, Dave Lum > >>> <[email protected]<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]>>> > >>> wrote: > >>> > >>>> I've been tasked to create documentation on creation and management of > >>>> Windows Service accounts, does anyone here have something I can use > >>>> and > >>>> modify? > >>>> > >>>> TIA, > >>>> Dave > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> -- > >>> *James Rankin* > >>> --------------------- > >>> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > >>> Practice Analyst - Desktop Virtualization > >>> http://appsensebigot.blogspot.co.uk<https://urldefense.proofpoint.com/v1/url?u=http://appsensebigot.blogspot.co.uk/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=3d46d8ec934ae065120b540c58d40dc5ec4e48fa2c9a5a1274a2ec2232e6d791> > >>> > >>> > >> > >> > >> > >> > >> > >> > >> -- > >> James Rankin > >> --------------------- > >> RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > >> Practice Analyst - Desktop Virtualization > >> http://appsensebigot.blogspot.co.uk<https://urldefense.proofpoint.com/v1/url?u=http://appsensebigot.blogspot.co.uk/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0a&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0a&m=xHG45R7oXV6fDpAUaxwzsvjU/Lxgws9IQFFg9FkRR3o%3D%0a&s=3d46d8ec934ae065120b540c58d40dc5ec4e48fa2c9a5a1274a2ec2232e6d791> > >> > > > > > > > > > > > > > > ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
