Critical System Protection

  • Private Community
 View Only

  • 1.  Password expiration and reset for server

    Posted May 06, 2011 06:04 AM

    Hi all,

     

    One of my customers is existing SCSP user and they would like to know if SCSP able to do following,

     

    1. alarm administrator if the Windows server password is going to expire/expired

    2. generate a password randomly and send to admnistrator (I do believe this requirement is not make sense)

     

    Thanks



  • 2.  RE: Password expiration and reset for server

    Broadcom Employee
    Posted May 06, 2011 09:42 AM

    I do not think both the functionality is available with the CSP 5.2.7



  • 3.  RE: Password expiration and reset for server

    Posted May 06, 2011 10:20 AM

    You can monitor the event logs in Windows to see when a users password is expired and an attempt to log on occurs.  You need to look for event ID 535, and if you want to, you can narrow the results by parsing for the username you want to monitor.

    I do not know of a way to monitor when the password actually expires.  It appears that Windows only creates an event when an attempt to log on occurs, and this functionality in SCSP would fall under a custom detection policy, which monitors logs.

    From MS site:

       Event ID: 535
           Type: Failure Audit
           Description: Logon Failure:
                 Reason: The specified account's password has expired
                 User Name: %1 Domain: %2
                 Logon Type: %3 Logon Process: %4
                 Authentication Package: %5 Workstation Name: %6

    As far as a randomly generated password, that functionality does not exist in SCSP, and with an Admin password that could potentially be very dangerous.  What would happen if the randomly generated password was not delivered, sent to an expired email account, intercepted in transit, or lost?



  • 4.  RE: Password expiration and reset for server

    Posted Jul 06, 2011 08:45 PM

    Detection of an event that may be occurring in the future, as your requirement to alert when an account is about to expire is more of a compliance solution where Symantec CCS may be a good tool to audit your accounting information. To my knowledge Windows will not alert you that a potential account if "about to" expire as mentioned above. However account expiration detection is automatically built into the windows baseline policy. It then can trigger an email alert to your account team automatically if any account expires, or I can walk you through how to tune the IDS rule so it only alerts for say a specific set of accounts. On the reverse logic you can have it ignore a set of accounts to send a detection event from the policy configuration screen. Even further a template policy can be created to specifically generate events on expiration types (domain accounts, service accounts, etc...)

    As stated above #2 is not a good idea to pursue on an enterprise level as it will lower your security posture.