Well first off, I would sadly say it depends a lot on your company and how they view security, which requirements you have (legals and business).
Let's say you have a financial server (the 2k3 box) that will transfer customers information for credit, maybe PCI needs to be applied. You need to know this kind of things first. Also, maybe this server has a higher security requirement than another (you dont specify). So if you're normal password policy states 6 char long for a password, maybe you would want to go at 8-10 for this one if its more critical. I would also make sure your local admins cant bypass the policy, maybe push it thru AD if you have it and they dont have AD access? Putting it locally and giving them local admin is not serious enough for a critical server. So I would say in "Domain Policy" under admin tools in windows. Password policy should come from the top (management, higher than Director) and be applied to everyone and everything. It should be clear and short. 1 page max for a password policy should be more than enough. -All passwords should be at least 8 character long -All passwords should expire after 45days -All passwords need to be complex (INSERT definition..) ... Have the policy signed (*approved*) by upper management and than applied to the 2k3 box. Side note, the sentence with "loose" I didnt understand it too much. But I would also suggest limiting local admin access to a very few IT employees. If they dont need it dont give it, all this has to be approved (as we all know). Hope I was on your topic, if not sorry :) Philippe Rivest - CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Verificateur interne - Securite de l'information 8585 Trans-Canada Highway, Suite 300 Saint-Laurent (Quebec) H4S 1Z6 Tel.: 514-331-4417 Fax: 514-856-7541 http://www.transforce.ca/ -----Message d'origine----- De : [email protected] [mailto:[email protected]] De la part de pent 5971 Envoyé : 21 août 2009 08:14 À : [email protected] Objet : Re: How to /password policy on Windows 2003 Any ideas/best practices? Regards 2009/8/20, pent 5971 <[email protected]>: > Hi, > I have an important Windows 2003 box which we are using only a admin > account actively. I also need to set a password policy (i have some > requirements) on this box and dont loose the admin account acces. How > can i do this password policy? > > Regards >
smime.p7s
Description: S/MIME cryptographic signature
