RE: Windows 2000 password policy
From: Jim Barrett (jimb_at_ins.com)
Date: 06/24/03
- Previous message: Justin Pryzby: "Re: Filtering DHCP Assignments by MAC Address"
- In reply to: Chris Carlson (OTG): "RE: Windows 2000 password policy"
- Next in thread: Chris Carlson (OTG): "RE: Windows 2000 password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Chris Carlson (OTG)'" <ccarls@microsoft.com>, "'hong li'" <hong_li_98@yahoo.com>, <focus-ms@securityfocus.com> Date: Tue, 24 Jun 2003 07:58:50 -0400
Okay, I stand corrected on that issue, but realistically I have never
seen that sort of thing in the real world. One generally does not make
a system part of the domain and then use local accounts to access it.
One of the first things that I look for on a security audit is local
accounts on critical systems. Besides the required administrator
account, the only local accounts on a machine should be service accounts
required by an application running on that box that for some reason or
other cannot use a domain based system account.
One could also make the argument that you need local accounts to work on
the system should connectivity to the domain controller be severed due
to a faulty WAN link. In that instance, since W2K machines cache local
credentials, a user can still log onto a system with no connectivity to
the domain provided that they have successfully logged on there before.
Additionally, if access to the system is critical, then a local DC can
provide the necessary fault tolerance.
Local accounts are much easier to compromise than domain accounts, thus
my recommendation is to strictly limit them. As for the necessary
administrator account, while password policies can be applied,
generally, users will exempt the administrator account from regular
password changes, and account lockout cannot be applied to the built-in
administrator.
Jim Barrett, MCSE, CISSA, CISSP, CCNP
Principal Consultant
International Network Services
Boston, MA
-----Original Message-----
From: Chris Carlson (OTG) [mailto:ccarls@microsoft.com]
Sent: Tuesday, June 24, 2003 2:23 AM
To: Jim Barrett; hong li; focus-ms@securityfocus.com
Subject: RE: Windows 2000 password policy
>You will see the options for setting password policy in the OU GPO, but
>changes there will not affect anything.
I wouldn't necessarily say that, password policies at the OU level still
apply to the local security accounts.
http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
-Chris
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- Previous message: Justin Pryzby: "Re: Filtering DHCP Assignments by MAC Address"
- In reply to: Chris Carlson (OTG): "RE: Windows 2000 password policy"
- Next in thread: Chris Carlson (OTG): "RE: Windows 2000 password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
