Re: local administrator account password policy

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/04/05 

Date: Mon, 3 Jan 2005 19:02:55 -0600

Sounds good. Keep in mind that a disabled buit in administrator account in
XP/2003 can still be accessed in safe mode. --- Steve

"Eric Gurney" <egurney@iname.com> wrote in message
news:OviyHFd8EHA.2016@TK2MSFTNGP15.phx.gbl...
> We're looking at going with smart cards, but there are hardly ever any
> logons by local users, so I guess disabling those accounts in XP and
> getting extra smart cards for the local admins of the W2k servers sounds
> like the best solution. No 2003 servers in the picture yet as we are
> still getting ready to migrate off of SQL 7.
> I will keep your auditing suggestions in mind as I continue designing our
> new security policies.
>
> Thanks,
> Eric
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:OZ682gc8EHA.2124@TK2MSFTNGP14.phx.gbl...
>> Password maximum age is generally a function of the length and complexity
>> of the password and who uses the local administrator passwords and are
>> they capable/trusted users. You certainly can configure those accounts to
>> never expire if that will work for you and your level of risk management.
>> If computers that hold critical data are physically secured, then you
>> have much less risk of local administrator passwords being compromised as
>> it is easy to reset the admin password if you have physical access to a
>> computer. Forcing local administrators to use a password [or better yet
>> pass phrase] of at least 10 characters with password complexity enabled
>> would, everything else being equal, allow those passwords to have a much
>> longer maximum password age. Disabling storage of lm hashes [assuming all
>> W2K/XP Pro/W2003 computers] will make password cracking much more
>> difficult after the policy has been enabled and the password changed.
>> Another possibility is to disable the built in admin account [XP
>> Pro/W2003] or giving it a really long complex password for W2K and then
>> issue those users that need local administrator account access smart
>> cards. Smart cards are not all that expensive and fairly easy to
>> configure. Don't underestimate social engineering in your plans to secure
>> your network. Most non technical users are very trusting to requests for
>> passwords etc. if they do not know any better. Auditing of account logon
>> events and account management in Domain Controller Security policy and
>> logon events on domain computers should also be a part of your security
>> strategy. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
>> that the procedure differs for W2K and XP/W2003. Configuring security
>> policy on a Windows 2003 domain controller to disable lm hash will NOT
>> apply to W2K computers - they must have registry change.
>>
>> "Eric Gurney" <egurney@iname.com> wrote in message
>> news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
>>>I am getting ready to implement (finally) a strong password policy on my
>>>small network. My question is how to handle the local Administrator
>>>accounts password policy. Should I put that on the same password
>>>expiration schedule as domain accounts and change it as needed (which
>>>should be rarely), or exclude that account from the expiration limits?
>>>
>>> Thanks,
>>> Eric
>>>
>>>
>>
>>
>
>

Relevant Pages