You you run the MSBSA and you gt an error stating that some user account have non expiring password. the security analyzer notes that this is a security violations: all accounts should have expiring passwords. Some account are excluded from this rule- use your best judgement here. i have a service account for SQL that is used in a connection string for a private database we use. This database is strictly internal, so I have it set to keep the same password, thus negating changing the connection string.

Password Expire

Password Expire

I have blanked out the actual user names as they are server service account names.

Account Error

Account Error

 

If you have a similar situation, we can exclude accounts from this scan by editing NoExpireOk.txt, and adding the accounts. I know for a fact that the warning is on the server account. I am going to exclude this from future scans, as this setting is set up by SBS 2008 itself and does not warrant changing.

Navigate to NoExpireOk.txt- I had a hard time finding the file. It is located in the MSBSA installation directory. Mine is D:\Program Files\Microsoft Baseline Security Analyzer 2\NoExpireOk.txt

Open it with Notepad.

Add the user account listed in the warning to the file.

Close and save it.

Now I will only recommend using the MSBSA as a tool to help you find security holes- do not use this to change every feature of your network. Some settings it scans and normal errors. I have all of my domain workstations secured with a local Administrator account. this is a strong password, and I set it to non-expiring. I can’t be bothered with changing these local passwords, as well as all of my personal and service accounts, as well as helping users change theirs. there are errors with folder permissions for SQL- leave those alone, they are set by the system. The list goes on- do not take it to the bank, but use it as a guideline for major issues.

Advertisements