Setting account expiration parameters
All active accounts should have an account expiration set on them. Because sys admins are not in the HR dept, when people leave the sys admin is not always told about employee turnover. Using account expirations is a simple way to help prevent any loose accounts from staying out there.
Also it is a good idea to force users to change their passwords on an account on a regular basis. How regular depends on how important the system they are working on, if a user is only on a read-only that is kept in a secure-area they should almost never have to change their password where as a sys admin who has to move from one machine to another machine should be changing their password often.
Finally, idle accounts should be expired. The less mess hanging around means fewer opportunities for someone to use to hack into your system.
You can set account expiration parameters either through the GUI or you can run a script to set the parameters. I will try & have a script set up to check this later this week.
Also it is a good idea to force users to change their passwords on an account on a regular basis. How regular depends on how important the system they are working on, if a user is only on a read-only that is kept in a secure-area they should almost never have to change their password where as a sys admin who has to move from one machine to another machine should be changing their password often.
Finally, idle accounts should be expired. The less mess hanging around means fewer opportunities for someone to use to hack into your system.
You can set account expiration parameters either through the GUI or you can run a script to set the parameters. I will try & have a script set up to check this later this week.
<< Home