snippetsqlMinor
How do you manage service account passwords?
Viewed 0 times
youpasswordsaccountmanageservicehow
Problem
The security folks want all AD passwords to expire every three months. I'm really not excited about this, since I definitely won't remember, and I'll likely be on my boat, drunk, when they expire.
Question How often do you/should you change the passwords on your sql service accounts?
Question How often do you/should you change the passwords on your sql service accounts?
Solution
The security folks want all AD passwords to expire every three months.
Normally 1 year is pretty standard, 3 months might be expected in a more secure environment where virtual accounts can't be used.
... since I definitely won't remember, and I'll likely be on my boat, drunk, when they expire.
I thought it was in a submarine under the polar ice caps (Dilbert Reference)
How often do you/should you change the passwords on your sql service accounts?
I'll reiterate that once a year is fairly standard, but it still isn't a great story. You have to change the account, there is a service restart required, and in general no one is happy about it except InfoSec.
This is why you should modernize by using Managed Service Accounts and/or Group Managed Service Accounts (or virtual accounts). In MSAs, the password is automatically rotated and is not known by anyone, gMSAs work a bit different but you can think of them the same as MSAs for use with multiple computer objects. The automatic password rotation does not require a service restart.
Normally 1 year is pretty standard, 3 months might be expected in a more secure environment where virtual accounts can't be used.
... since I definitely won't remember, and I'll likely be on my boat, drunk, when they expire.
I thought it was in a submarine under the polar ice caps (Dilbert Reference)
How often do you/should you change the passwords on your sql service accounts?
I'll reiterate that once a year is fairly standard, but it still isn't a great story. You have to change the account, there is a service restart required, and in general no one is happy about it except InfoSec.
This is why you should modernize by using Managed Service Accounts and/or Group Managed Service Accounts (or virtual accounts). In MSAs, the password is automatically rotated and is not known by anyone, gMSAs work a bit different but you can think of them the same as MSAs for use with multiple computer objects. The automatic password rotation does not require a service restart.
Context
StackExchange Database Administrators Q#207082, answer score: 8
Revisions (0)
No revisions yet.