RE: Group Policy: multiple password policies in the same domain?
From: Federated Information Security (FederatedInformationSecurity_at_federatedinv.com)
Date: 09/06/05
- Previous message: Christoph Gruber: "Re: Active Directory password external use"
- Maybe in reply to: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 Sep 2005 13:09:33 -0400 To: "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>
Domain password policies must apply to machines at the domain level.
All password interaction is handled by the GINA and its associated
parts, and these are owned by the LSA. Necessarily, the LSA must be
tightly controled so it doesn't burp up its secrets, so it's owned by
the system, not by a user process.
Also note that by default, you don't have to actually log in to change
your password. At first, this seems a bit odd, but it makes sense once
you work through it. After all, if you type in the wrong password, what
process will have the authority to lock out your account? It can't be
your user account, that doesn't make sense.
The password policy for all domain accounts must be set at the default
domain policy. Period. There's no way around it.
If you set password policy in an OU, it will affect the LOCAL accounts
created on any machines that are added to that OU. So if the service
accounts are local, you can use the stronger password policies on them.
For service accounts, a good way to improve control is to create a
global group for "Non-Interactive Service Accounts", and through group
policy give this group the "Deny interactive logon" right. That way if
someone knows the password, they still can't use it to log on. Not
foolproof, just another hurdle.
Finally, keep in mind that you can bypass some of the group policy
settings on individual accounts. Accounts still have a "password never
expires" flag and some others. And you can use the User Management MMC
snap-in to bypass policies. For example, you might change an account
password, break something, and need to set it back to its original
value. If you have password history enabled, you can't do this with the
GINA. But if you use the user management snap-in, you can right-click
on the account and reset the password back to the original value,
bypassing the restrictions. It's very difficult to audit for this.
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Wednesday, August 31, 2005 10:28 AM
To: focus-ms@securityfocus.com
Subject: RE: Group Policy: multiple password policies in the same
domain?
> -----Original Message-----
> From: Richard Whitworth [mailto:Richard.Whitworth@hsbp.co.uk]
> Sent: Wednesday, August 31, 2005 10:19 AM
> To: Derick Anderson
> Subject: RE: Group Policy: multiple password policies in the
> same domain?
>
> You can only set password policies affecting domain accounts
> using the "default domain policy" GPO - ie. the GPO at the
> top of the AD tree for a particular domain.
>
> As you indentify, setting a GPO that affects computer
> accounts lower down in the AD tree will only affect local accounts.
>
> Richard
>
Does anyone know why the password policy is a computer and not a
user-based setting?
Derick Anderson
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Christoph Gruber: "Re: Active Directory password external use"
- Maybe in reply to: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
