Security Basics mailing list archives

RE: Changing the domain password policy

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Mon, 16 Oct 2006 21:11:08 -0400

Normally, changes to Windows domain password policies only apply during
the changes of passwords made using the normal password change GUI (i.e.
Ctrl-Alt-Del sequence, Change Password) and during account creations or
password resets.

Password complexity is not checked when actually used.

Roger

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Monday, October 16, 2006 3:04 PM
To: security-basics () securityfocus com
Subject: Changing the domain password policy

Hi List,

I am going to enforce some domain password standards on a w2k domain. I
am going to set the password policy to a more complex level then it
already is.

The questions I have are;

There are a number of service and application accounts to which
developers have set a number of weak passwords. So my plan is to contact
the developers and request them to change passwords to these accounts,
so applications and such do not break during transistion. What is the
best way to do this?

In general is there anything else that anyone can recommend? What else
should I consider? I am sure someone here must of done this before. What
are your experiences of this?

When is the password policy enforced?

Does this affect the domain admin account?

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: Password statistics and standards, (continued)
- - - Re: Password statistics and standards Dathan Bennett (Oct 17)
    - RE: Password statistics and standards John Lightfoot (Oct 18)
    - Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
    - RE: Password statistics and standards dave kleiman (Oct 19)
    - Re: Password statistics and standards Dathan Bennett (Oct 20)
    - RE: Password statistics and standards dave kleiman (Oct 20)
  - RE: Password statistics and standards Robert D. Holtz - Lists (Oct 16)
  - Re: Password statistics and standards Dathan Bennett (Oct 16)
  - Re: Password statistics and standards Fabio (Oct 16)
- Changing the domain password policy Gary Collis (Oct 16)
  - RE: Changing the domain password policy Roger A. Grimes (Oct 17)
  - RE: Changing the domain password policy Murda Mcloud (Oct 17)
  - RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)