Re: Password Change Utility
From: Br0wnbear (brownbearat_at_canadadotcom.net)
Date: 10/22/04
- Next message: Steven L Umbach: "Re: Checking passwords?"
- Previous message: sql beginner: "Re: Checking passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 09:31:18 -0400
On Wed, 08 Sep 2004 19:32:14 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:
>I agree with you. I suggest that they consider that you look at Microsoft
>Recommendations in the link I provided and consider having the accounts reset
>themselves after a short period of time so as not to involve the service desk all the
>time. If your account lockout threshold is less then ten then it is too low. Raising
>it will decrease the amount of lockouts yet still protect from password attacks,
>particularly if you enforce complex passwords. In addition you can enable auditing of
>account management on your domain controllers to see when accounts have been locked
>out by viewing the security log of your pdc fsmo for Event ID 642. That way you still
>will know when a domain account has been locked out and for what user. --- Steve
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:810d01c495a6$633146a0$a501280a@phx.gbl...
>We do already have a lockout policy created... The
>accounts do not even unlock after a specific time, our
>service desk is required to unlock accounts. I am more
>concerned with the idea of having an application
>available to our users that asks them a few questions
>then resets their accounts for them. I don't think the
>program they are looking at using stores the passwords in
>a table? It just seems to me like we would be opening a
>huge gaping hole, I am just having a hard time revealing
>it. Any recomendations would be greatly appreciated.
>
>
>
>>-----Original Message-----
>>I don't like the idea either as you will have to have
>a "database" of their passwords
>>stored somewhere as passwords are not stored in Active
>Directory - their hashes are
>>which can possibly be recovered by a program like LC5
>but that could take a long time
>>if lm hash storage is disabled and the user has a
>password like " 77Yy!@--bb£)) ". I
>>would reconsider your lockout policy. Microsoft
>recommends that you use a lockout
>>threshold of no less than ten and to implement complex
>passwords. If you do such and
>>have a lockout time period of ten minutes, you can
>eliminate most administrator
>>intervention in reactivating an account and still
>effectively deter brute force
>>password attacks. If you implement a password lookup
>program, you end up with lazy
>>users. They just have to learn to be more careful in
>managing their passwords. The
>>link below is official Microsoft stuff on account
>lockout policy
>>ecommendations. --- Steve
>>
>>http://www.microsoft.com/technet/Security/prodtech/win200
>3/w2003hg/sgch02.mspx#XSLTsection123121120120
>>
>>"sfling@cardone.com"
><anonymous@discussions.microsoft.com> wrote in message
>>news:77bb01c494fd$d1c74230$a501280a@phx.gbl...
>>> Our company is looking into the possibility of
>>> implementing a program on our Windows 2003 domain that
>>> would enable the end user to reset their password and
>>> renable their account if locked out. They will be
>asked a
>>> few personal questions then the program will change
>their
>>> password and display a 128 bit encrypted web page
>>> displaying their password. I am not personally in
>>> favor of this application running on the network and I
>am
>>> looking for any suggestions that I may need to look out
>>> for. Any suggestions???
>>
>>
>>.
>>
>
A simpler theory. If they can't remember their passwords how are they
going to remember the answers to three questions?
hth
John Brown
"Bears have more fun, we hibern8 alot"
- Next message: Steven L Umbach: "Re: Checking passwords?"
- Previous message: sql beginner: "Re: Checking passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
