Home page logo

basics logo Security Basics mailing list archives

Re: Changing the domain password policy
From: krymson () gmail com
Date: 2 Feb 2007 18:55:30 -0000

1. You could try to look into your AD event logs and check for Successful logons for the domain admin account.

2. Every time you identify a service using the domain admin account, replace it with a different account that is part 
of the domain admins group. You want accounts separated as much as possible, and you can then later evaluate whether 
that one service even needs domain admin level access. One service/function for one domain admin level account.

3. After you change the domain admin account, closely monitors server event logs for failed logons to the domain admin 
account. This should indicate the source and that there is something out there still trying to use the old password. 
You want to catch downed services before your users or management come looking for you.

4. Policy should dictate very complex passwords for domain admin level accounts. You want non-dictionary words, 16+ 
characters, and mixed alphanumerics and cases and special characters. You don't necessarily have to regularly change 
service passwords as perhaps the business interuption is not worth the password change, but you really should still be 
aware of what services are out there, what account they use, and limit them as much as possible (maybe run as a 
privileged normal domain user?). The root domain admin account should be used as little as possible and the password 
rotated regularly.

5. If you do want to still rotate and change passwords for services, look at your inventory and set up a reminder to 
change passwords. I would avoid setting an expiration date for service accounts that you aren't really sure when they 
will be removed. Besides, if you're a day late and the account is locked, your business may be threatened.

6. You really should have different standards for different account types. The root domain admin account is one type 
all by itself. Any other accounts in the domain admins group should be another. All service accounts should be another. 
And lastly your regular domain user accounts. While you can, and should, use AD policy to force complexity for domain 
user accounts, you really want to practice more complex passwords for the other types.

While the biggest thing to do is make sure you know your environment and what service accounts are used where, 
eventually you'll find yourself stuck and you just need to make the change and deal with what breaks.

<- snip ->
Time has come to change the domain admin password. Unfortunately this is 
used (hardcoded?) across the network in lots of different places, 
services, virus downloads etc. Does anyone know of a way for me to audit 
the admin account so I can see where it is currently in use.

Has anyone got any other tips for changing the domain admin password 
without lots of pain?


Hi All,

I wish to amend my windows domain policy to include passowrd complexity 
and minimum length. However I have a bunch of service accounts, of which 
I do not know all. These passswords are set in AD to not expire. Am I 
right in thinking that the changes to the domain password policy will 
not effect the accounts that have this attribute set in AD, until these 
passwords are actually changed?

How do other people deal with service accounts and their adherence to 
domain password policys?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]