Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Enable Password Policies

Posted on 2006-07-02
7
Medium Priority
?
350 Views
Last Modified: 2008-03-03
An messagebox wich recommend me to enable password policies is appearing.

"Password policies have not been enable on the network. It is recommended that all user accounts be protected by strong passwords. Do you want to enable strong passwords now?" Yes No.

What should I do? I can of course just enable it but wan't to ask first. Partly because no (or just one hit) appears in the whole SBS area and very little information on Microsoft.

Does strong passwords means that I can't use a password like the name of the corporate, as we use on one official "used by all"-computer. That should run some users mad. On other hand we really need strong passwords on some users able to remoteconnect to the network (those have difference templates specifically for mobile access).
0
Comment
Question by:dingir
7 Comments
 
LVL 7

Expert Comment

by:Zadkin
ID: 17029480
When enabling,  you get the possibility to decide what the policy will be (3 choices,  2 parameters):
-length (length)
-complexity (always three types of characters out of 4)
-age (days)


Ref:
Configure Password PoliciesUsing strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.
Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Numerals (0 through 9)
Nonalphanumeric characters (such as , !, $, #, and %)
Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.

0
 
LVL 1

Author Comment

by:dingir
ID: 17029544
Can I set difference policies for difference GPO's through this wizard? Or some other wizard? because I don't want strong passwords on users belongs to a specifik GPO. AS I can understand from other posts it's not an good idea to change the policy directly on the GPO itself?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 600 total points
ID: 17029578
Actually there is a lot of information in the Help & Support of your SBS about this... and actually it's in the FIRST item on the To-Do list, "View Security Best Practices."  Click on that, and then the first item is "protecting access to the Windows Small Business Server network from external threats" link.  Which takes you to the Configuring password policies section.

I always suggest that people look first at the Help & Support within the server first... it contains a ton of info and will link directly to appropriate MS KB articles.

It's important to remember that your SBS is most likely accessible from anywhere in the world now... so if you don't implement a decent password policy you might as well not lock the front door to your office anymore... actually that's probably still safer... you might want to remove the front doors instead.

Getting users to get used to the idea of having THEIR OWN password that is NOT SHARED with anyone takes a bit of getting used to... but it's impreative if you want to have a secure network.  You don't have to start with a TOO STRONG password, for instance you can select the items which will apply... perhaps just start with a minimum 7 digits as well as requiring complexity of characters, and changing it only every 4 months or so to begin with... eventually you should get it to at least 10 characters and changing every two months if possible.

Jeff
TechSoEasy
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:dingir
ID: 17029644
Hi Tech!

Thanks for answer. Yes and that's also recommended that I done this task After all computers and users are added, says the helpfiles :-). Because the computers can't be added before the whole server replacement, I haven't set it up yet. What are the benefits of adding all computers first? Does it make sense, because no users are affected?
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 400 total points
ID: 17029978
You can only have one password policy per domain; this policy will be applied to all users. You can NOT apply a different password policy for domain users by changing the password policy in an OU; this will only apply to *local* accounts on the machines in this OU, but never to domain accounts.
What you can do with the "general" computer is check the "password never expires" option in the user's profile. If you have to change it to another weak password, disable the password policy, change the password, enable the password policy again.
For security reasons, this account should be restricted to be only allowed logons to that special machine, not any other machine.
Another option might be to create a local account on this machine, if access to domain resources isn't required.
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
0
 
LVL 1

Author Comment

by:dingir
ID: 17030087
OBda: Thank's for the answer! That's exactly what I thought I need to do.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17032682
dingir,

I would suspect that the recommendation to wait until after all computers and users are added is made with the thought that it would be a short time before that would be finished... ie, a day or two.  There's no real reason to wait to implement the policy other than for the convenience of initially setting up your network.

Jeff
TechSoEasy
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Integration Management Part 2
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question