Administrator accounts with passwords that don't expire

In a completely unscientific survey I took during a recent TechED presentation, I asked how many people who had domain admin credentials had also configured their administrator accounts to be exempt from password policy requiring regular password changes.

The response was nervous laughter.

While some organizations have strict policies about password updates, enforcement of those policies is often inconsistent. The smaller the IT department, the less likely privileged users are to stringently adhere to security policies such as regularly updating privileged account passwords.

Why? Probably because no one except the administrators themselves would be aware that the policy is being violated.

As the inevitable trend of single administrators managing more computers continues, the size of many organization’s IT departments has been shrinking. Whereas a company with 1500 people would have had a small team of administrators a decade ago, the same company might only have one or two today.

With the reduction in the size of administration comes a reduction in peer-oversight. “Quis custodiet ipsos custodes” is an easier question to answer when the watchers are watching each other, a lot less easier to answer if there is only one or two watchers. Perhaps large IT teams are better at self policing when it comes to compliance with security policies simply because there is more peer pressure to conform.

While there are queries that can be run in Active Directory Administrative Center to determine which accounts haven’t had their passwords changed recently, this is not a task that’s likely to be performed by anyone outside the administration team.

While some administrators might shrug and decide that while it’s a bad practice, there’s little risk to them because they make sure that no-one is shoulder surfing when they enter their password. The reality is, as the science fiction author Charles Stross points out in a recent blog post ( http://www.antipope.org/charlie/blog-static/2013/12/trust-me.html ), keyloggers are getting smaller, can be small USB pass through devices, and can even be built into keyboards. Unless an administrator physically checks their computer each time for the presence of such a device, someone who works in the same organization could place such a device physically on the administrator’s workstation (yet another good argument for two factor authentication for sensitive privileged accounts).

Ultimately whether your select the “password never expires” option is up to you. Enabling it does reduce the security of your organization and with the advent of managed service accounts, there are fewer reasons to use static passwords with any user account.

Discuss this Blog Entry 2

on Dec 26, 2013

I use my own laptop. It is Bitlockered and runs EMET 4 with High Security. Passwords are stored in either PGP or Password Safe.

Company policy is to require a password change every 365 days. It has been that way since before I got here. I have suggested tighter protocols but they have been rejected.

I am also a developer and am very familiar with Process Explorer and a few other tools.

That said - passwords are extinct. I've always taught people to use a passphrase and then do something like take the first letter of each word and changes l's into 1's and e's into 3's and e's into @'s, for instance. Server browsers are either blocked or running under Enhanced security.

All of that said: I'd love a decent, USB key based two-factor authentication mode...even if only for my systems. Especially if it integrated with PGP and GPG.

on Dec 26, 2013

I think passwords are a bit like that quote from Churchill about Democracy - being a bad system, but the best that we've come up with.

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.

Contributors

Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×