|
Posted by J Burford Fields on November 29, 2005, 12:32 am
Please log in for more thread options
Are service account passwords managed and changed automatically like
IUSR_MachineName? Or should one change their passwords periodically?
I'm thinking the former, but do not recall seeing it in writing.
tia
|
|
Posted by Paul Adare on November 29, 2005, 2:39 am
Please log in for more thread options
the microsoft.public.windows.server.security news group, J Burford
show/hide quoted text
> Are service account passwords managed and changed automatically like
> IUSR_MachineName? Or should one change their passwords periodically?
> I'm thinking the former, but do not recall seeing it in writing.
>
No, just because you specify that an account is to be used by a service
does not mean that it's password will be changed automatically. You need
to handle these manually just like any other account.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
|
|
Posted by J Burford Fields on November 29, 2005, 8:41 am
Please log in for more thread options Thanks, Paul. Am I mistaken? IUSR_Machine name... doesn't
automatically change, either?
...and the Kerberos service account?
|
|
Posted by Paul Adare on November 29, 2005, 8:47 am
Please log in for more thread options the microsoft.public.windows.server.security news group, J Burford
show/hide quoted text
> Thanks, Paul. Am I mistaken? IUSR_Machine name... doesn't
> automatically change, either?
>
> ...and the Kerberos service account?
>
Those do, however they are special accounts that are created by the OS,
you can't compare those to accounts you create yourself and assign to a
service.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
|
|
Posted by Joe Richards [MVP] on November 29, 2005, 10:14 am
Please log in for more thread options The service has to the changing. For IUSR for instance the IIS service manages
the password, you can actually turn that capability off if you want and people
do do it if they have multiple instances of IIS on different machines running
under the same ID. If it changed in that case, only one instance would work.
Also note that IIS actually doesn't run as IUSR, it launches specific processes
as ISUR or others as necessary. Normally it runs as one of the non-userid
security contexts like localsystem.
You also mention the kerberos account. The KDC runs as localsystem as well. The
krbtgt ID is used by the KDC service but is never logged into. The password is
never changed and in fact the account is disabled.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
J Burford Fields wrote:
show/hide quoted text
> Are service account passwords managed and changed automatically like
> IUSR_MachineName? Or should one change their passwords periodically?
> I'm thinking the former, but do not recall seeing it in writing.
>
> tia
>
|
| Similar Threads | Posted | | passwords Service accounts and services | August 15, 2006, 6:41 pm |
| How protect Administrators account and passwords | June 7, 2007, 9:31 am |
| Reset Passwords, Account operators, Delegation - access denied | August 8, 2006, 8:37 pm |
| Service account modified | January 20, 2009, 6:35 pm |
| 'NT Authority\Network Service' Account | July 26, 2005, 4:03 am |
| Local Administrator as service log on account | January 11, 2006, 3:51 am |
| password crack for service account | April 14, 2009, 12:51 pm |
| Allowing a local account to log on as batch/service? | July 18, 2005, 2:15 am |
| accessing HKCU of network service account | December 21, 2005, 4:23 pm |
| Permissions required for the Cluster service account? | July 7, 2006, 6:51 am |
|
XML Sitemap
> IUSR_MachineName? Or should one change their passwords periodically?
> I'm thinking the former, but do not recall seeing it in writing.
>