Solved

Enable Password Policies

Posted on 2006-07-02
7
333 Views
Last Modified: 2008-03-03
An messagebox wich recommend me to enable password policies is appearing.

"Password policies have not been enable on the network. It is recommended that all user accounts be protected by strong passwords. Do you want to enable strong passwords now?" Yes No.

What should I do? I can of course just enable it but wan't to ask first. Partly because no (or just one hit) appears in the whole SBS area and very little information on Microsoft.

Does strong passwords means that I can't use a password like the name of the corporate, as we use on one official "used by all"-computer. That should run some users mad. On other hand we really need strong passwords on some users able to remoteconnect to the network (those have difference templates specifically for mobile access).
0
Comment
Question by:dingir
7 Comments
 
LVL 7

Expert Comment

by:Zadkin
ID: 17029480
When enabling,  you get the possibility to decide what the policy will be (3 choices,  2 parameters):
-length (length)
-complexity (always three types of characters out of 4)
-age (days)


Ref:
Configure Password PoliciesUsing strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.
Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Numerals (0 through 9)
Nonalphanumeric characters (such as , !, $, #, and %)
Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.

0
 
LVL 1

Author Comment

by:dingir
ID: 17029544
Can I set difference policies for difference GPO's through this wizard? Or some other wizard? because I don't want strong passwords on users belongs to a specifik GPO. AS I can understand from other posts it's not an good idea to change the policy directly on the GPO itself?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 150 total points
ID: 17029578
Actually there is a lot of information in the Help & Support of your SBS about this... and actually it's in the FIRST item on the To-Do list, "View Security Best Practices."  Click on that, and then the first item is "protecting access to the Windows Small Business Server network from external threats" link.  Which takes you to the Configuring password policies section.

I always suggest that people look first at the Help & Support within the server first... it contains a ton of info and will link directly to appropriate MS KB articles.

It's important to remember that your SBS is most likely accessible from anywhere in the world now... so if you don't implement a decent password policy you might as well not lock the front door to your office anymore... actually that's probably still safer... you might want to remove the front doors instead.

Getting users to get used to the idea of having THEIR OWN password that is NOT SHARED with anyone takes a bit of getting used to... but it's impreative if you want to have a secure network.  You don't have to start with a TOO STRONG password, for instance you can select the items which will apply... perhaps just start with a minimum 7 digits as well as requiring complexity of characters, and changing it only every 4 months or so to begin with... eventually you should get it to at least 10 characters and changing every two months if possible.

Jeff
TechSoEasy
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:dingir
ID: 17029644
Hi Tech!

Thanks for answer. Yes and that's also recommended that I done this task After all computers and users are added, says the helpfiles :-). Because the computers can't be added before the whole server replacement, I haven't set it up yet. What are the benefits of adding all computers first? Does it make sense, because no users are affected?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 100 total points
ID: 17029978
You can only have one password policy per domain; this policy will be applied to all users. You can NOT apply a different password policy for domain users by changing the password policy in an OU; this will only apply to *local* accounts on the machines in this OU, but never to domain accounts.
What you can do with the "general" computer is check the "password never expires" option in the user's profile. If you have to change it to another weak password, disable the password policy, change the password, enable the password policy again.
For security reasons, this account should be restricted to be only allowed logons to that special machine, not any other machine.
Another option might be to create a local account on this machine, if access to domain resources isn't required.
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
0
 
LVL 1

Author Comment

by:dingir
ID: 17030087
OBda: Thank's for the answer! That's exactly what I thought I need to do.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17032682
dingir,

I would suspect that the recommendation to wait until after all computers and users are added is made with the thought that it would be a short time before that would be finished... ie, a day or two.  There's no real reason to wait to implement the policy other than for the convenience of initially setting up your network.

Jeff
TechSoEasy
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now