Password policy enforcement tools was RE: ADSI question

From: Eric Peeters (ml-feb2004_at_ibarras.com)
Date: 08/27/04

  • Next message: Free, Bob: "RE: ADSI question"
    To: <focus-ms@securityfocus.com>
    Date: Fri, 27 Aug 2004 16:26:15 -0500
    
    

    Hijacking on this thread (with my apologies), I was wondering whether many admins use
    third-party password policy enforcement tools and whether it has led to less password
    cracking.

    I use one such tool to reach what I think is a reasonable middle ground between the basic
    Windows 2000 password settings and complex password requirements, and I find that I need
    to crack my users' passwords less often. Since they now have no choice but to comply with
    my password policy, password cracking has gone from being an enforcement tool to being a
    way of checking that my policy is neither too loose nor too restrictive and fine-tuning
    said policy accordingly.

    Am I being too confident in a tool in performing less password crackings, or am I not
    alone out there ?

    Eric Peeters
    R. Ibarra's Inc.

    -----Original Message-----
    From: Bruce K. Marshall [mailto:bkml@att.net]
    Sent: Thursday, August 26, 2004 8:59 AM
    To: Paul Aviles
    Cc: focus-ms@securityfocus.com
    Subject: Re: ADSI question

    Paul,

    The only ways to measure a password's quality is to either guess them
    (online) or crack them (offline). If you exported the LM password hashes you could tell
    whether they were shorter than 8 characters, but any other info requires cracking. We've
    been providing clients with 'password policy compliance' reports where we crack the
    passwords and then compare the findings to their existing or planned policy.

    If you do an in-place migration you'll still be stuck with the previous passwords. You
    can turn on password complexity, but that won't be enforced until the next password
    change.

    Scripting can tell you some cool stuff, such as when the user last logged into the domain
    and when they last changed their password. But it won't do anything related to password
    quality.

    ----
    Bruce K. Marshall - bmarshall@securityps.com - 913-484-7233 Security Professional
    Services, Inc. - Kansas City
    ----- Original Message ----- 
    From: "Paul Aviles" <paviles@adjoined.com>
    To: <focus-ms@securityfocus.com>
    Sent: Wednesday, August 25, 2004 11:30 AM
    Subject: ADSI question
    Is it possible to use ADSI to query user accounts and find if they are using a strong
    password? Before using GPO's to enable it, I need to have an audit and show how many
    people don't have them.  Is this a property of the users?
    Also, I believe that when you install AD in a new environment by default it has strong
    password enabled. Is that the same when you do an in place migration?
    Thanks
    Paul
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Free, Bob: "RE: ADSI question"