Security Basics mailing list archives
RE: Policy enforcement- Admin accounts
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Tue, 18 Dec 2007 18:45:00 +0100
Many people have replied to the original post, stating to set an additional GPO on an OU, so you can set a different password policy. I agree, yes can go ahead and create a GPO, assign Password Policies in it, and link it to your OU - but, the password policies will NOT take affect... I repeat, the Password Policy portion of a GPO can only be applied at the domain level... This could be in the 'Default Domain Policy' or in a new GPO applied to the domain, but it only applies at the domain level. That is why I, and several others, suggested the only viable option is to create an additional management domain in the forest. It can be an empty root with just your admin accounts. THEN, you can apply different password policies to the admin users the management domain... -Jesse -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Can Deger Sent: Tuesday, December 18, 2007 8:15 AM To: 'Paul J. Brickett' Cc: security-basics () securityfocus com; security-basics-return-46896 () securityfocus com Subject: RE: Policy enforcement- Admin accounts Wow thanks, I didn't know that. I remember that we could use passprop, but didn't try to use it on the 2k3 domain... Thanks for the update :) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul J. Brickett Sent: 17 Aralık 2007 Pazartesi 21:55 To: Can DEGER Cc: security-basics () securityfocus com; security-basics-return-46896 () securityfocus com Subject: Re: Policy enforcement- Admin accounts Charles is correct in regards to the inability to set password policies on an OU basis. He is not correct in regards to the default domain Administrator account not being able to be locked. Please consult the following MS article, which describes how to configure the domain\administrator account to lockout using ADSIedit: http://support.microsoft.com/kb/885119 On Mon, 17 Dec 2007, Can DEGER wrote:
Charles Hardin is absolutely right, on this subject, you cant set password policies with OUs.. :( thats why, security professionals advising the administrators, to disable the "admin" account (even rename it) and then use another account with the "admin" privileges. after you have yourself that kind of an account you can set the account lockout policy for it.. unfotunately password policies are set domain wide. As Charles Hardin mentioned below, moving your accounts to another domain, should establish a trust between your domain and admin domain, so that management would not be a problem... On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm () gmail com> wrote:Sadly with AD you can only have one account security policy per domain. You would need to make a second domain in your forest and move your admin accounts there. Also remember the actual Administrator account CANNOT be locked out. On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:In an active directory environment (windows 2003), I want to ensure
lockout
for administrator accounts also, in order to protect against attempts to brute force account password. The flipside is, we might have a DoS
situation
but I can live with it. Is there a tool I can deploy to ensure that
admin
account also locks out after certain no. of attemps? Also, ONLY for admin accounts, I want to enforce certain settings like: Password should contain atleast 15 characters, should not contain a dictionary word etc. My normal password policy for AD user accounts, set at the domain level
is a
minimum of 8 chars but I want to deploy this special policy of 15 chars minimum for admin accounts. How should I go about this?
Current thread:
- Re: Policy enforcement- Admin accounts, (continued)
- Re: Policy enforcement- Admin accounts Paul J. Brickett (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Raoul Armfield (Dec 18)
- Re: Policy enforcement- Admin accounts MaddHatter (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- Re: Policy enforcement- Admin accounts Charles Hardin (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- RE: Policy enforcement- Admin accounts Can Deger (Dec 18)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 18)
- RE: Policy enforcement- Admin accounts Scalcione.David (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 17)
- Discussing Microsoft Forefront security attempt WALI (Dec 24)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 17)