And here's a less expensive solution than CyberArk: http://www.thycotic.com/
* * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 17, 2012 at 4:29 AM, Alan Davies <[email protected]>wrote: > ** > The purist would say having non-unique passwords for common accounts is a > vulnerability itself, never mind how you set them! ;o) > > For those who can't afford the likes of CyberArk to manage all passwords > individually, pass-the-hash attacks should be considered carefully. > Allowing the password to be in a world-readable location for a week would > be foolish in many environments (eg. callcentres, educational facilities, > etc.) and an audit finding in most regulated ones. Make sure you consider > the many "aggravating" factors that might make the risk an external one too > ... poorly secured network integrated wi-fi, un-monitored ethernet points > with public (or at least non-staff) physical access. You get the gist! > > > > > a > > ------------------------------ > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* 16 January 2012 23:51 > > *To:* NT System Admin Issues > *Subject:* RE: Quarterly Admin password change > > *The purist would see that that’s a week the password could be > compromised. I’d probably let it slide though, especially in a small > environment. * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *w – 312.625.1438 | c – 312.731.3132* > > * * > > *From:* David Lum [mailto:[email protected]] > *Sent:* Monday, January 16, 2012 2:43 PM > *To:* NT System Admin Issues > *Subject:* RE: Quarterly Admin password change**** > > ** ** > > Saw that. My mitigation is to use the GPO for a week then nuke it, as our > standard builds show follow the new PW convention and the GPO is to just > catch up the previously-built systems.**** > > ** ** > > Thoughts?**** > > ** ** > > Dave**** > > ** ** > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Monday, January 16, 2012 12:38 PM > *To:* NT System Admin Issues > *Subject:* RE: Quarterly Admin password change**** > > ** ** > > *Keep this in mind - ** > http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx > *<http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx> > *. * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *w – 312.625.1438 | c – 312.731.3132* > > * * > > *From:* David Lum [mailto:[email protected]] > *Sent:* Monday, January 16, 2012 8:04 AM > *To:* NT System Admin Issues > *Subject:* RE: Quarterly Admin password change**** > > ** ** > > +1 just did that myself via GPP. Our “local admin maintenance GPO” does > two things:**** > > **· **Renames the local admin account.**** > > **· **Sets the password on the added-in local administrator > account.**** > > ** ** > > Dave**** > > ** ** > > *From:* ed ziots [mailto:[email protected]] > *Sent:* Sunday, January 15, 2012 2:49 PM > *To:* NT System Admin Issues > *Subject:* RE: Quarterly Admin password change**** > > ** ** > > +1, that is pretty easy one. Also make sure you rename it to something > else than "Administrator" and create a dummy admin account which is only a > "Guest" and disabled, and audit its attempted use for audit and incident > response purposes. > > Also can script it out with cusrmgr.exe from the Windows 2000 resource > kit. > > Z > > Edward E. Ziots > Senior Informational Security Engineer > CISSP,Security +,Network+ > > **** > > > From: [email protected] > > To: [email protected] > > Subject: RE: Quarterly Admin password change > > Date: Sun, 15 Jan 2012 22:42:35 +0000 > > > > Easy to do with GPP or with a script. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > -----Original Message----- > > From: Juned Shaikh [mailto:[email protected]] > > Sent: Sunday, January 15, 2012 5:16 PM > > To: NT System Admin Issues > > Subject: Quarterly Admin password change > > > > I am trying to identify how are you folks managing the security > requirement of changing Local admin password of all servers quarterly? > > > > Thanks in advance, > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
