Changing domain password policy - some questions before

[Mike Leone]

So our default domain password policy is .... insufficently sane ... so we're thinking of implementing something more sane. You know, change every 120 days, complexity, etc.

Obviously I don't want this to apply to service accounts, and some others, such as domain admin, etc.

Q: do I *just* check "Password Never Expires" on those accounts? Is that enough? OR do I need to make a Fine Grained Password Policy that applies to those accounts? I don't see a similar option on the Password Settings fo the Fine Grained Password Policy. Or is there a better way?

I don't want those accounts passwords to change automatically. I wouldn't want SQL server to stop running, because the account password expired and wasn't changed (since no one interactively logs in as that account), etc.

I'm sure I will have more questions, as we ruminate further ...

Thanks!

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Henry Awad]

With Server 2008 and newer versions, you can specify different password policies to different OUs. So I would recommend setting up your default domain password policy and apply it to all the users OUs except one where you put all your other accounts and apply a different policy to that OU. If you have a password management system like Secret Server or CyberArk, I recommend using them to create complex passwords for your service accounts and other elevated privilege accounts like Domain Admin.

Henry Awad

Principal Engineer

Technology Services

The Catholic University of America

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiH4GNwNVn4eW2N7CbgHHZbQXdcnnBj7feXfU-7ggVRrA%40mail.gmail.com.

[Brian Illner]

It would also be worth investigating the use of Managed Service Accounts and gMSA’s.

 

Group Managed Service Accounts Overview | Microsoft Learn

 

These could possibly take the place of many of your static AD User accounts used for services.

 

 

 

BRIAN ILLNER​​​​  |  Senior Systems Administrator 864.250.9227 Office 864.679.2537 Fax Canal Insurance Company 101 N. Main Street, Suite 400 Greenville, SC 29601 WARNING:  As the information in this transmittal (including attachments, if any) may contain confidential, proprietary, or business trade secret information, it should only be reviewed by those who are the intended recipients.  Unless you are an intended recipient, any review, use, disclosure, distribution or copying of this transmittal (or any attachments) is strictly prohibited.   If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  While Canal believes this transmittal to be free of virus or other defect, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Canal (or its subsidiaries and affiliates) for any loss or damage arising therefrom.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Henry Awad
Sent: Tuesday, June 18, 2024 1:25 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Changing domain password policy - some questions before

 

CAUTION: This message was sent from outside of Canal Insurance. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe. Please report all suspicious emails to "inf...@canal-ins.com" as an attachment.

---

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK6%3DLdvpgN5nCzc1LWFjiFr0x9bAT-C_Up_Zx%3DUxM_Lbjg%40mail.gmail.com.

[Kurt Buff]

Selecting "Password never expires" on an account excludes it from the
password policy.

Excluding Domain Admins and other highly privileged accounts from the
Domain password policy is acceptable, as long as their passwords are
not marked to never expire, and there's a more restrictive policy in
place using an FGPP.

Excluding service accounts by marking their passwords to never expire
is common practice, but if possible you should migrate them to gMSAs,
and if not possible make sure you have some sort of system to rotate
them regularly.

Kurt

[Philip Elder]

My add to this is to have MFA/2FA on all servers. Period.

No MFA/2FA approval? Then no access.

Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
 
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Tuesday, June 18, 2024 11:30
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Changing domain password policy - some questions before

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5rrpgL7gaxAoFzLD5bbQ18HSnsd3%3Dk3RCob9kbjLTwOw%40mail.gmail.com.

[Fehlman, Lee]

I'd take a look at the following article. This is now currently deployed to the Domain.

enable fine grained password policy - Search (bing.com)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK6%3DLdvpgN5nCzc1LWFjiFr0x9bAT-C_Up_Zx%3DUxM_Lbjg%40mail.gmail.com.

[Kurt Buff]

I'm curious - how do you propose to apply MFA to WMI/WinRM/RSAT tools access?

Duo works great for console access (RDP, VMware remote console, direct
KVM), but doesn't have a lot to offer for other kinds of access.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/180904635eed422aa298072d08644d80%40MPECSInc.Ca.

[Henry Awad]

I would suggest using a jump server that admins or other users with elevated privileges use to RDP into it and have 2FA/MFA such as DUO setup in addition to VPN. Another option is using a PAM system that you access with 2FA/MFA and then launched whatever connections from the PAM server. They also have APIs you can use with the PAM server to be able to authenticate without including the password in your code or script.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5V_aVxvoHs8q7o6xGbf2Pidn3M9ip5as%3DZgKSsLhG6eA%40mail.gmail.com.

[Philip Elder]

One of our contractors uses a product called White Cloud to do that very thing.

I get a little nervous around multiple "security" products running on one OS because of them stepping over themselves but it does work.

The catch: Once in past DUO I can kill WC so that I can actually work. ;0)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5V_aVxvoHs8q7o6xGbf2Pidn3M9ip5as%3DZgKSsLhG6eA%40mail.gmail.com.

[Kurt Buff]

That's interesting - I looked at the White Cloud web site, and it
looks like they're trying to make a better AppLocker, and they don't
mention MFA at all.

Possibly a good product, but it doesn't look like that covers MFA requirements.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/a1d7d7f89b2f4c68a7bc010c2b0c14aa%40MPECSInc.Ca.

[Philip Elder]

Ah, no. It covers the other requirements mentioned. Combined with DUO we have all of the bases covered.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce69LMRVmzqpxHg9BoD1UtNEVa4hvrX%3D_g8R56FMjCtcdA%40mail.gmail.com.