RE: [ActiveDir] How Secure is a Domain Controller?

[neil.ruston]

You mis-understand :)   Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack.   In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak.   hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: 06 March 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 06, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? The use of >20 char passwords caught my eye.   In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement.   As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.]   Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 05 March 2006 08:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz   Weblog: http://msmvps.org/UlfBSimonWeidner   Website: http://www.windowsserverfaq.org   Profile:   http://mvp.support.microsoft.com/profile="">      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, March 05, 2006 4:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003?  When promoted the domain controller has the two default policies, both of which are recommended not to be modified.  But there are things that could be done better for added security.  For example, NTLMv2 refuse NTLM and LM.  Is it common practice to add additional GPO’s to the DC OU?  Or is DC protected enough to where all that is needed to worry about are the member machines?   If adding additional GPO’s to the DC OU, is there anything that should definitely be avoided?   Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.