All good points, however how this policy is enforced is problematic.
See there are only so many policy's you can place on a 2k3 domain.
Complex or not, must have 3 of the 4, upper lower, special, number and
it can't be the username.
Minimum Length, no less than X char long
Expiry, expires in X days
Previous Number, cannot be previous X number of passwords used
At my work we actually bought a piece of software called Hitachi ID
Password Manager, (formerly MTek P-Synch), we bought it for the
self-help password reset portion so users quit calling the helpdesk.
Once this is in place and the pushpass agent is installed on all domain
controllers it can control what passwords are accepted by the domain
controllers.
This has one drawback (other than money), this applies to ALL domain
passwords, much like the standard windows 2k3 password policy.
The upside is you have nearly unlimited control over what kind of
passwords are accepted on your domain, dictionary words, it'll block em,
username reversed, it'll block it. got some sneaky sysadmins using
server names as passwords, use a regular expression to block certain
password patterns, i.e. think they are using server names as passwords
(srv_MyServ1) use a regex to block anything with .srv. in it. Another
thing that I thought was helpful was that you can set a password age.
Say you have an expiry of 60 days, and the previous 6 blocked through
AD, so thats 360 months before the "first" password can be used again,
right? Nah, change your password 7 times through a windows client and
they are back to using their first password in 5 minutes. With the
password age you can say, 360 months, and they literally are blocked
from ever using that password again for 360 months.
The pushpass service checks against the hitachi server and will block
you if the password does not meet the set criteria.
I'm in no way advocating buying this software, it's just what we use and
what I have experience with, and to show you that there are products out
there (if anyone knows of an opensource product that does this, lemme
us) that can extend the bland password policies that are available in a
2k3 domain.
I'm not entirely positive, but I have "heard" that with a 2k8 domain and
vista/7 clients, you can set password policy at the OU level, with
anything prior, if it's set it cannot be overwritten by a sub policy or
by blocking the GPO applying the policy, it's a policy set at the domain
controller level, so if they get it, they abide by it, not the clients
attached to them.
And the thing with management, about being higher than director, thats
where the policy should be enforced from, not come from. It needs to
come from the security team who then send it up the line to be approved.
Management 1 step above a sysadmin or security analyst managers position
is not going to have any idea what it means to have a password policy
with X criteria, let alone director or above.
Also, with the "All passwords need to be complex (INSERT definition..)",
that's great to have on paper, but there is no way to enforce it unless
you rounded up every employee and asked them for their password, and
that won't happen. With Microsoft and 2k3 you get complex, yes or no, it
can't be defined, see above.
Rivest, Philippe wrote:
Well first off, I would sadly say it depends a lot on your company and how
they view security, which requirements you have (legals and business).
Let's say you have a financial server (the 2k3 box) that will transfer
customers information for credit, maybe PCI needs to be applied. You need to
know this kind of things first.
Also, maybe this server has a higher security requirement than another (you
don’t specify). So if you're normal password policy states 6 char long for a
password, maybe you would want to go at 8-10 for this one if its more
critical.
I would also make sure your local admins cant bypass the policy, maybe push
it thru AD if you have it and they don’t have AD access? Putting it locally
and giving them local admin is not serious enough for a critical server. So
I would say in "Domain Policy" under admin tools in windows.
Password policy should come from the top (management, higher than Director)
and be applied to everyone and everything. It should be clear and short. 1
page max for a password policy should be more than enough.
-All passwords should be at least 8 character long
-All passwords should expire after 45days
-All passwords need to be complex (INSERT definition..)
...
Have the policy signed (*approved*) by upper management and than applied to
the 2k3 box.
Side note, the sentence with "loose" I didn’t understand it too much. But I
would also suggest limiting local admin access to a very few IT employees.
If they don’t need it don’t give it, all this has to be approved (as we all
know).
Hope I was on your topic, if not sorry :)
Philippe Rivest - CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Verificateur interne - Securite de l'information
8585 Trans-Canada Highway, Suite 300
Saint-Laurent (Quebec) H4S 1Z6
Tel.: 514-331-4417
Fax: 514-856-7541
http://www.transforce.ca/
-----Message d'origine-----
De : [email protected] [mailto:[email protected]] De
la part de pent 5971
Envoyé : 21 août 2009 08:14
À : [email protected]
Objet : Re: How to /password policy on Windows 2003
Any ideas/best practices?
Regards
2009/8/20, pent 5971 <[email protected]>:
Hi,
I have an important Windows 2003 box which we are using only a admin
account actively. I also need to set a password policy (i have some
requirements) on this box and dont loose the admin account acces. How
can i do this password policy?
Regards
