In a completely unscientific survey I took during a recent TechED presentation, I asked how many people who had domain admin credentials had also configured their administrator accounts to be exempt from password policy requiring regular password changes.
The response was nervous laughter.
While some organizations have strict policies about password updates, enforcement of those policies is often inconsistent. The smaller the IT department, the less likely privileged users are to stringently adhere to security policies such as regularly updating privileged account passwords.
Why? Probably because no one except the administrators themselves would be aware that the policy is being violated.
As the inevitable trend of single administrators managing more computers continues, the size of many organization’s IT departments has been shrinking. Whereas a company with 1500 people would have had a small team of administrators a decade ago, the same company might only have one or two today.
With the reduction in the size of administration comes a reduction in peer-oversight. “Quis custodiet ipsos custodes” is an easier question to answer when the watchers are watching each other, a lot less easier to answer if there is only one or two watchers. Perhaps large IT teams are better at self policing when it comes to compliance with security policies simply because there is more peer pressure to conform.
While there are queries that can be run in Active Directory Administrative Center to determine which accounts haven’t had their passwords changed recently, this is not a task that’s likely to be performed by anyone outside the administration team.
While some administrators might shrug and decide that while it’s a bad practice, there’s little risk to them because they make sure that no-one is shoulder surfing when they enter their password. The reality is, as the science fiction author Charles Stross points out in a recent blog post ( http://www.antipope.org/charlie/blog-static/2013/12/trust-me.html ), keyloggers are getting smaller, can be small USB pass through devices, and can even be built into keyboards. Unless an administrator physically checks their computer each time for the presence of such a device, someone who works in the same organization could place such a device physically on the administrator’s workstation (yet another good argument for two factor authentication for sensitive privileged accounts).
Ultimately whether your select the “password never expires” option is up to you. Enabling it does reduce the security of your organization and with the advent of managed service accounts, there are fewer reasons to use static passwords with any user account.