RE: active directory password policy

From: James Eaton-Lee (james.mailing_at_gmail.com)
Date: 02/08/05

  • Next message: Luis Martinez Roman: "RE: ISA Server/WWW Blacklist" 
    To: prasenjit.saha@wipro.com
Date: Tue, 08 Feb 2005 15:59:42 +0000

    Many thanks for your e-mail!

    Although I'd be interested to see what solutions exist for this (and I'm
    sure there are some), in my experience it's beyond the scope of most
    Network Administrators to simply resort to a third party package
    whenever there's something like this which a licensed software package
    can't already do.

    Especially in outfits which have limited resources and staffing, this
    isn't a viable solution both because of the outlay in licensing new
    software and in setting up / supporting the new package; this does,
    however, depend upon your business size, and the particular package in
    question.

    Like I said, however, I'd be interested to see what commercial solutions
    do exist for this and how resilient they are - part of the reason for my
    apprehension is that in my experience a significant number of windows
    network management packages and addons for Active Directory, etc, are
    poorly integrated and don't represent terribly good value for money.

    It's also something which Windows, as an integrated solution providing
    VPN and Authentication packages, should be implementing already, as it's
    well within the scope of both products, and could probably be
    accomplished without breaking any standards which these products already
    adhere to!

    I haven't seen many implementations of token authentication in anything
    but large/high-risk operations, but token authentication used for remote
    access mitigates some of these issues; the uptake for token
    authentication is shockingly though given the extra layer of security it
    provides, however.

    kind regards,

     - James.

    On Tue, 2005-02-08 at 12:47 +0530, prasenjit.saha@wipro.com wrote:
    > This process can be automated by implementing identity and access
    > management solution.
    >
    > Thanks and Regards,
    >
    > Prasenjit Saha
    > General Manager & Practice Head
    > Enterprise Security Solutions
    > Wipro Technologies
    >
    > -----Original Message-----
    > From: James Eaton-Lee [mailto:james.mailing@gmail.com]
    > Sent: Monday, February 07, 2005 11:28 PM
    > To: William Stegman
    > Cc: focus-ms@securityfocus.com
    > Subject: Re: active directory password policy
    >
    > Set the 'password does not expire' flag and make a note in your outlook
    > calender to call them every few months and get them to reset the
    > password either over the phone with one of your IT staff, onsite (if
    > they're ever onsite) or via terminal services.
    >
    > I badger my remote staff whenever they're onsite (usually once a month)
    > and have them do it every few times they're here. Unfortunately, I
    > haven't found any more intelligent or efficient way of doing it than
    > this.
    >
    > - James.
    >
    > On Fri, 2005-02-04 at 17:10 -0500, William Stegman wrote:
    > > Does anyone have any experience with remote users who do not login to
    > > the domain on a regular basis or at all, and have a password
    > expiration
    > > policy in effect? We can't seem to come up with a good plan to handle
    > > these users. They only occassionally access domain resources such as
    > > webmail via the Internet or an internal website to do timesheets via
    > > vpn, and will not have the luxury of logging on to a machine connected
    >
    > > to our LAN and getting the warning about soon to expire passwords. If
    > > our policy dictates passwords expire every 90 days, how can we avoid
    > the
    > > inevitable calls regarding password resets?
    > >
    > > thx
    > >
    > > /William Stegman - Network Administrator///
    > >
    > > TransCore - Hummelstownd
    > >
    >
    >
    > ------------------------------------------------------------------------
    > ---
    > ------------------------------------------------------------------------
    > ---
    >
    >
    > Confidentiality Notice
    > The information contained in this electronic
    > message and any attachments to this message are
    > intended for the exclusive use of the addressee(s)
    > and may contain confidential or privileged information.
    > If you are not the intended recipient, please notify
    > the sender at Wipro or Mailadmin@wipro.com immediately
    > and destroy all copies of this message and any attachments.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Luis Martinez Roman: "RE: ISA Server/WWW Blacklist"
    • Quantcast