![]() ![]() By writing a service-account-password management script, you not only reduce the security risk that privileged accounts pose but also reduce the risk of incurring downtime as a result of changing service account passwords. However, you can automate the process of managing service account passwords. In practice, however, most IT shops are unwilling to do so because of the potential risk of compromising the functionality of their core infrastructure services. The solution to mitigate both these risks seems quite simple in theory: Change the service account passwords regularly to an unknown value. Although setting this flag typically reduces the probability of a service logon failure, it provides password hash-comparison utilities such as L0phtCrack an infinite amount of time to obtain the password for a privileged account. But few enterprises modify the service account passwords when IT staff members leave.Īdding to the security risk that service accounts pose, consider that setting the Password Never Expires flag for service accounts is typically considered good practice. Unfortunately, those same IT staff members are likely to have set up Microsoft Systems Management Server (SMS), Microsoft Exchange Server, and other applications that require an administrative account in the domain. When IT staff members leave the firm, some enterprises might even change the Administrator account passwords for the domains to prevent unauthorized access through a shared account. Most enterprises expend significant effort to ensure that when employees leave the firm, all computer access has been disabled by the time they make their final exit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |