Focus on Microsoft
Re: How to /password policy on Windows 2003 Aug 21 2009 12:14PM
pent 5971 (pent5971 gmail com) (5 replies)
RE: How to /password policy on Windows 2003 Aug 26 2009 05:21PM
Kurt Dillard (kurtdillard msn com) (1 replies)
Vista Complete PC Backup coolness Aug 28 2009 07:49PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
RE: Vista Complete PC Backup coolness Sep 02 2009 10:50PM
James D. Stallard (james leafgrove com) (1 replies)
RE: Vista Complete PC Backup coolness Sep 05 2009 06:50AM
Ken Schaefer (Ken adOpenStatic com)
Re: How to /password policy on Windows 2003 Aug 25 2009 07:03PM
Gerardo Castillo Alvarado (gecastillo edelca com ve)
Re: How to /password policy on Windows 2003 Aug 25 2009 07:01PM
Wim Remes (wremes gmail com)
RE: How to /password policy on Windows 2003 Aug 25 2009 05:50PM
Rivest, Philippe (PRivest transforce ca) (1 replies)
Re: How to /password policy on Windows 2003 Aug 26 2009 04:47AM
Kevin (rot_betruger sbcglobal net) (1 replies)
All good points, however how this policy is enforced is problematic.
See there are only so many policy's you can place on a 2k3 domain.
Complex or not, must have 3 of the 4, upper lower, special, number and
it can't be the username.
Minimum Length, no less than X char long
Expiry, expires in X days
Previous Number, cannot be previous X number of passwords used

At my work we actually bought a piece of software called Hitachi ID
Password Manager, (formerly MTek P-Synch), we bought it for the
self-help password reset portion so users quit calling the helpdesk.
Once this is in place and the pushpass agent is installed on all domain
controllers it can control what passwords are accepted by the domain
This has one drawback (other than money), this applies to ALL domain
passwords, much like the standard windows 2k3 password policy.
The upside is you have nearly unlimited control over what kind of
passwords are accepted on your domain, dictionary words, it'll block em,
username reversed, it'll block it. got some sneaky sysadmins using
server names as passwords, use a regular expression to block certain
password patterns, i.e. think they are using server names as passwords
(srv_MyServ1) use a regex to block anything with .srv. in it. Another
thing that I thought was helpful was that you can set a password age.
Say you have an expiry of 60 days, and the previous 6 blocked through
AD, so thats 360 months before the "first" password can be used again,
right? Nah, change your password 7 times through a windows client and
they are back to using their first password in 5 minutes. With the
password age you can say, 360 months, and they literally are blocked
from ever using that password again for 360 months.
The pushpass service checks against the hitachi server and will block
you if the password does not meet the set criteria.

I'm in no way advocating buying this software, it's just what we use and
what I have experience with, and to show you that there are products out
there (if anyone knows of an opensource product that does this, lemme
us) that can extend the bland password policies that are available in a
2k3 domain.

I'm not entirely positive, but I have "heard" that with a 2k8 domain and
vista/7 clients, you can set password policy at the OU level, with
anything prior, if it's set it cannot be overwritten by a sub policy or
by blocking the GPO applying the policy, it's a policy set at the domain
controller level, so if they get it, they abide by it, not the clients
attached to them.

And the thing with management, about being higher than director, thats
where the policy should be enforced from, not come from. It needs to
come from the security team who then send it up the line to be approved.
Management 1 step above a sysadmin or security analyst managers position
is not going to have any idea what it means to have a password policy
with X criteria, let alone director or above.
Also, with the "All passwords need to be complex (INSERT definition..)",
that's great to have on paper, but there is no way to enforce it unless
you rounded up every employee and asked them for their password, and
that won't happen. With Microsoft and 2k3 you get complex, yes or no, it
can't be defined, see above.

Rivest, Philippe wrote:
> Well first off, I would sadly say it depends a lot on your company and how
> they view security, which requirements you have (legals and business).
> Let's say you have a financial server (the 2k3 box) that will transfer
> customers information for credit, maybe PCI needs to be applied. You need to
> know this kind of things first.
> Also, maybe this server has a higher security requirement than another (you
> don?t specify). So if you're normal password policy states 6 char long for a
> password, maybe you would want to go at 8-10 for this one if its more
> critical.
> I would also make sure your local admins cant bypass the policy, maybe push
> it thru AD if you have it and they don?t have AD access? Putting it locally
> and giving them local admin is not serious enough for a critical server. So
> I would say in "Domain Policy" under admin tools in windows.
> Password policy should come from the top (management, higher than Director)
> and be applied to everyone and everything. It should be clear and short. 1
> page max for a password policy should be more than enough.
> -All passwords should be at least 8 character long
> -All passwords should expire after 45days
> -All passwords need to be complex (INSERT definition..)
> ...
> Have the policy signed (*approved*) by upper management and than applied to
> the 2k3 box.
> Side note, the sentence with "loose" I didn?t understand it too much. But I
> would also suggest limiting local admin access to a very few IT employees.
> If they don?t need it don?t give it, all this has to be approved (as we all
> know).
> Hope I was on your topic, if not sorry :)
> Philippe Rivest - CEH, Network+, Server+, A+
> TransForce Inc.
> Internal auditor - Information security
> Verificateur interne - Securite de l'information
> 8585 Trans-Canada Highway, Suite 300
> Saint-Laurent (Quebec) H4S 1Z6
> Tel.: 514-331-4417
> Fax: 514-856-7541
> -----Message d'origine-----
> De : listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] De
> la part de pent 5971
> Envoyé : 21 août 2009 08:14
> À : focus-ms (at) securityfocus (dot) com [email concealed]
> Objet : Re: How to /password policy on Windows 2003
> Any ideas/best practices?
> Regards
> 2009/8/20, pent 5971 <pent5971 (at) gmail (dot) com [email concealed]>:
>> Hi,
>> I have an important Windows 2003 box which we are using only a admin
>> account actively. I also need to set a password policy (i have some
>> requirements) on this box and dont loose the admin account acces. How
>> can i do this password policy?
>> Regards

[ reply ]
Re: How to /password policy on Windows 2003 Aug 26 2009 10:00PM
Ben Scott (mailvortex gmail com)
RE: How to /password policy on Windows 2003 Aug 25 2009 05:44PM
THOMAS, DEDRIC (ATTCLSMA) (dt7089 att com)


Privacy Statement
Copyright 2010, SecurityFocus