Re: local administrator account password policy
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/03/05
- Next message: Steven L Umbach: "Re: windows 2003 event id 672 failure audit"
- Previous message: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- In reply to: Eric Gurney: "local administrator account password policy"
- Next in thread: Eric Gurney: "Re: local administrator account password policy"
- Reply: Eric Gurney: "Re: local administrator account password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Jan 2005 13:12:52 -0600
Password maximum age is generally a function of the length and complexity of
the password and who uses the local administrator passwords and are they
capable/trusted users. You certainly can configure those accounts to never
expire if that will work for you and your level of risk management. If
computers that hold critical data are physically secured, then you have much
less risk of local administrator passwords being compromised as it is easy
to reset the admin password if you have physical access to a computer.
Forcing local administrators to use a password [or better yet pass phrase]
of at least 10 characters with password complexity enabled would, everything
else being equal, allow those passwords to have a much longer maximum
password age. Disabling storage of lm hashes [assuming all W2K/XP Pro/W2003
computers] will make password cracking much more difficult after the policy
has been enabled and the password changed. Another possibility is to disable
the built in admin account [XP Pro/W2003] or giving it a really long complex
password for W2K and then issue those users that need local administrator
account access smart cards. Smart cards are not all that expensive and
fairly easy to configure. Don't underestimate social engineering in your
plans to secure your network. Most non technical users are very trusting to
requests for passwords etc. if they do not know any better. Auditing of
account logon events and account management in Domain Controller Security
policy and logon events on domain computers should also be a part of your
security strategy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
that the procedure differs for W2K and XP/W2003. Configuring security policy
on a Windows 2003 domain controller to disable lm hash will NOT apply to W2K
computers - they must have registry change.
"Eric Gurney" <egurney@iname.com> wrote in message
news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
>I am getting ready to implement (finally) a strong password policy on my
>small network. My question is how to handle the local Administrator
>accounts password policy. Should I put that on the same password
>expiration schedule as domain accounts and change it as needed (which
>should be rarely), or exclude that account from the expiration limits?
>
> Thanks,
> Eric
>
>
- Next message: Steven L Umbach: "Re: windows 2003 event id 672 failure audit"
- Previous message: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- In reply to: Eric Gurney: "local administrator account password policy"
- Next in thread: Eric Gurney: "Re: local administrator account password policy"
- Reply: Eric Gurney: "Re: local administrator account password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
