How do u get around expiring password problems

[colin_lyse]

We have an Win2000 server that servers as a file server, stores files that are
moved from mainframe to various other servers, both windows and unix.

Mainframe apps need to log into the server to ftp the files. thus it needs to
know username and password.

problem : since passwords expire every 90 days we have to change code that
reference passwords in production.

if there a way to have external applications log in to the server in such a
way that eitehr no user pass is needed or they can get it automatically from a
another source.

note: we cna't jsut make the folder wehre the files are stored a shared folder
since they are ftping to the server.

 

[Miha Pihler]

If you are talking about username and password defined on Windows systems,
you could set these accounts to "Password never expires"... Make sure you
use strong - hard to guess password and still change it few times a year...

Note, if you use LM Hash to store password (by default) it takes about 2
days to crack it... (if I know what the hash is).

Mike

 

[Danny Sanders]

problem : since passwords expire every 90 days we have to change code that

reference passwords in production.

You could find the account in ADUC and set the "password never expires"
attribute for this one account. Of course you should manually change the
password periodically for security purposes.

hth
DDS W 2k MVP MCSE

 

[Joe Richards [MVP]]

Set up two scripts

The first is on your mainframe side, it generates a new password every 80 days.
It then ftp's that password down to some folder on the Intel Server. The intel
server runs a second script which sets the password on the account. Then the
mainframe uses the new password.

There are points where this could be insecure but it is more secure than never
changing your password or opening up FTP to allow anyone to write files to the
machine.

 

[colin_lyse]

If you are talking about username and password defined on Windows systems,
you could set these accounts to "Password never expires"... Make sure you
use strong - hard to guess password and still change it few times a year...

Note, if you use LM Hash to store password (by default) it takes about 2
days to crack it... (if I know what the hash is).

Mike

problem is we are required to have exipiring passwords

 

[colin_lyse]

Set up two scripts

The first is on your mainframe side, it generates a new password every 80 days.

It then ftp's that password down to some folder on the Intel Server. The intel
server runs a second script which sets the password on the account. Then the
mainframe uses the new password.

There are points where this could be insecure but it is more secure than never
changing your password or opening up FTP to allow anyone to write files to the
machine.

thank. How is the password changed via the script. does it need admin rights
to do so?

 

[Joe Richards [MVP]]

Not if you know the old one. If you know the old one you can use the
changepassword method, in fact you should be able to have the mainframe script
send that down as well. If you don't know the old one you need an account that
has the ability to set the password of that account. I fyou have AD, that can be
delegated out very granularly, if not, it has to be some higher level of perms
depending if on an NT Domain which would require account operator or on a member
machine it would require admin.

joe

 

[colin_lyse]

Not if you know the old one. If you know the old one you can use the
changepassword method, in fact you should be able to have the mainframe script
send that down as well. If you don't know the old one you need an account that
has the ability to set the password of that account. I fyou have AD, that can
be
delegated out very granularly, if not, it has to be some higher level of perms
depending if on an NT Domain which would require account operator or on a
member
machine it would require admin.

joe

Thnak you so much! great idea.

We do know the old one.

What do you mean "have the mainframe script send that down as well"

How will the mainframe be able to run the script on the W2K box without using
rexec which is a BIG NOno?

 

[Joe Richards [MVP]]

Have the mainframe ftp a file down to the Intel Server. That file could have
anything in it but at a minimum the old and new passwords.

joe