Deny logon locally is a Group Policy Object (GPO) setting that should be used for all service accounts because it shuts down one avenue of exploitation—an interactive logon (e.g., a logon using Ctrl+Alt+Del) to a system with that account. Most security teams frown on allowing accounts with non-expiring passwords to exist, but it's often near impossible to do without having some. One of the biggest concerns people have is the account could be used anywhere on the network, leading to abuse of it. To satisfy security teams and auditors, I came up with a simple way to comply with this security practice but still have service accounts with passwords that don't expire.
More:
http://m.windowsitpro.com/security/service-accounts-can-be-secure-yet-have-non-expiring-passwords
No comments:
Post a Comment