topic Re: Politics user problem in Operating System - HP-UX

Politics user problem

Eli Daniel — Tue, 15 Dec 2009 16:21:10 GMT

I have a problem with a policy server.

User policy exists that the user's password expires every 3 months
I need to exclude a patron of that policy
Where can I find the documentation, the steps to perform this task

Re: Politics user problem

Patrick Wallek — Tue, 15 Dec 2009 16:29:09 GMT

You got to love the "the policy applies to everyone except me" types.

This can be set through SAM by selecting the user and modifying the security policies for that user.

This could also be done from the command line with the modprpw command.

/usr/lbin/modprpw -m exptime=180 user-id

Where the number after exptime is the number of days before the password expires.

See the modprpw man page for more information.

Re: Politics user problem

Michael Steele_2 — Tue, 15 Dec 2009 16:32:11 GMT

Hi

I would also use same for all user administration. Its much faster and reliable and you've got other more important things to do than waste an hour figureing out usermod arguements..

Re: Politics user problem

Michael Steele_2 — Tue, 15 Dec 2009 16:32:45 GMT

Oops. Typo. Should read..."I would also use SAM..."

Re: Politics user problem

Steven E. Protter — Tue, 15 Dec 2009 16:45:41 GMT

Shalom,

sam and its successor smh have an interface that lets you mark a user password never to expire.

There is a similar option on Windows domain controllers, and LDAP systems released by Red Hat.

This is however an exception to security guidelines and can cause you to fail a security audit.

SEP

Re: Politics user problem

Steven Schweda — Tue, 15 Dec 2009 17:41:36 GMT

> This is however an exception to security
> guidelines and can cause you to fail a
> security audit.

Of course, if the principal outcome of
requiring users to change passwords
frequently is users posting their passwords
in their work areas using sticky notes, then
creating an exception for every user may
provide better security, auditors (and policy
makers) notwithstanding.

Re: Politics user problem

Steven E. Protter — Tue, 15 Dec 2009 20:22:36 GMT

Personally, I think if a user can not remember a password and needs to use a postit note, thats a problem.

Data security is a serious issue in Corporate America and all over the globe.

Users should be able to use words in combination with numbers to create something memorable. If so, there should be no reason to write them down.

The exception two jobs ago was the organization president. I've dealt with these issues. Passwords are important enough that some time should be spent to remember them.

Everybody should have to change them periodically.

SEP

Re: Politics user problem

Eli Daniel — Tue, 15 Dec 2009 20:51:13 GMT

really is an application service, the service sends information through a user, but there is a policy that every 3 months, users have to change the password.
The recommended option is to go to sam and deselect "password aging policies"

Re: Politics user problem

Michael Steele_2 — Tue, 15 Dec 2009 23:14:55 GMT

Hi

What application please. PowerBroker?

Re: Politics user problem

John Donovan — Wed, 16 Dec 2009 03:49:03 GMT

Looks like you have the "workaround", but I'm compelled to emphasize what others have written.

No user account should be have password expiration of less than 90 days. We have a wide variety of users. Most log in daily, while others log in anywhere from weekly to annually. Our policy is the same for all.

After 90 days of no activity, the account is locked. After an additional 30 days, the account is deleted. After this, a new user account must be requested.

NOTE: This is explained to every user and supported by mgmt. So, the users that don't log in after 120+ days know they must re-apply. Normally, they get the same login.

Application accounts are either locked or the password is maintained by sys admin staff. For those, we change the password every 90 days regardless if used or not.

Users that actually need access to an application account are provided sudo access. For example, all sys admin's use sudo for root commands and dba's for oracle commands.

Critical logins, including sys admins, root, oracle accounts are monitored for changes.

Of course, we have an exception request for those very, very rare occasions. We don't want to prevent anyone from doing there job, but any exceptions must be documented, validated, and approved by upper mgmt.

Hope this helps...
:-)

Re: Politics user problem

Steven Schweda — Wed, 16 Dec 2009 06:32:00 GMT

> Users should be able to use words in
> combination with numbers to create
> something memorable.

I agree. However, few people these days have
only one password to remember, and
remembering many good passwords may be more
difficult than remembering one. Every
organization gets to set its own policy, but
choosing an optimal password lifetime is, I
claim, not a trivial problem.

Everything's complicated.

Re: Politics user problem

Nick W — Wed, 16 Dec 2009 10:44:51 GMT

re users having to remember multiple passwords & sticky notes...

One solution is for users to use a Password Vault Application - I use KeePass, which also has approval by my IT organisation.

Main Advantage is that users can then apply more rigorous passwords for individual accounts, which can then be made unique - so should a password ever be compromised/discovered, then the damage limitation can be more effective (alternative scenario is that a very few passwords are used all over - which increases the risk for damage in the event of compromise/password discovery...)

Hope it helps

Nick 'dubya'

Re: Politics user problem

Eli Daniel — Wed, 16 Dec 2009 13:20:45 GMT

The option SAM "Modify Security Policies..." "Password Aging Policies.."

if this disable, the password never expire?

Note: view attachment

Re: Politics user problem

Patrick Wallek — Wed, 16 Dec 2009 13:59:13 GMT

Correct.

Re: Politics user problem

Eli Daniel — Wed, 16 Dec 2009 14:17:35 GMT

patrick one last question, according to the attachment as it is the actual expiration time of this password 90 days or 180 days? I do not understand these options attachment

Re: Politics user problem

Vishu — Wed, 16 Dec 2009 15:36:19 GMT

Hi Eli,

90 days refers that your password will get expired after 90 days and 180 days in your attachment says that even if you dont change your password after your password expiration time for another 90 days i.e. total of 180 days, your user account will get locked.

Re: Politics user problem

Eli Daniel — Wed, 16 Dec 2009 15:46:49 GMT

So this would be a bad practice?
Time Between Password Changes (days): 1
Password Expiration Time (days): 90
Password Expiration Warning Time (days): 7
Password Life Time (days): 180

the best practice should be:
Time Between Password Changes (days): 1
Password Expiration Time (days): 90
Password Expiration Warning Time (days): 7
Password Life Time (days): 90
this is correct?
I need is to force the user to change their password after 90 days
(with the single-user exepcion)

Re: Politics user problem

Eli Daniel — Wed, 16 Dec 2009 19:17:43 GMT

Thanks