Administrator Password Expiration 2789

  • Our auditors are trying to ding us for not setting our network administrator user ID password to automatically expire. We do in fact manually change the password every 60 days. It is not set to automatically expire since it may disrupt system functions. I have read other posts online regarding this issue but never really found an answer/explanation. I have also researched ‘best practices’ and have not really found anything either. Any recommendations?

  • How may the expiration of a network password disrupt system functions? Can you explain this in further detail? Does any application do an automatic login with the administrator-ID and password or do you only do manual logins?
    I guess the automatic expiration setting only forces the user the change the password at the first logon attempt that happens after the number of days since the last password change was made, but it does not render the account unusable before this login attempt.
    If you manually change the password every 60 days anyhow, what keeps you from having the system enforce this practice?

  • Hi - Yes, I’m familiar with this issue and particularly the need to change accounts tied to Windows services carefully.
    Domain administrators should be able to participate in the password rotation process, as long as their accounts are not tied into Windows services for client/server jobs, etc. It’s always been a best practice to use domain admin accounts just for the network techs access and to set up separate Windows accounts for jobs or Windows Services functions.
    Rather than massively changing everything, I wonder if the auditors might compromise (oxymoron - lol), on changing just a few accounts to pilot a 60 day rotation process as a proof-of-concept to ensure everything will work well. Every user domain account that ties into a Windows job service could be converted to a new separate account (plus add a little documentation)
    I do recall in a former company that user accounts were tied into critical services and it was so difficult to change, that the account had to be left in place.
    Finally, the actual Administrator account on PCs and servers should be renamed or disabled in most cases. However, it should not be part of the password rotation cycle, as the password change may be invoked by a service rather than a person (and lockouts could occur).
    Below are some links that might help in the research also:
    http-and-#58;// password changes
    http-and-#58;// password considerations

  • Well I must say that password rotation each week is the best way to save your passwords from any mishaps. And I follow this rule quite aggressively.

Log in to reply