Solved

Enable Password Policies

Posted on 2006-07-02
7
332 Views
Last Modified: 2008-03-03
An messagebox wich recommend me to enable password policies is appearing.

"Password policies have not been enable on the network. It is recommended that all user accounts be protected by strong passwords. Do you want to enable strong passwords now?" Yes No.

What should I do? I can of course just enable it but wan't to ask first. Partly because no (or just one hit) appears in the whole SBS area and very little information on Microsoft.

Does strong passwords means that I can't use a password like the name of the corporate, as we use on one official "used by all"-computer. That should run some users mad. On other hand we really need strong passwords on some users able to remoteconnect to the network (those have difference templates specifically for mobile access).
0
Comment
Question by:dingir
7 Comments
 
LVL 7

Expert Comment

by:Zadkin
ID: 17029480
When enabling,  you get the possibility to decide what the policy will be (3 choices,  2 parameters):
-length (length)
-complexity (always three types of characters out of 4)
-age (days)


Ref:
Configure Password PoliciesUsing strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.
Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Numerals (0 through 9)
Nonalphanumeric characters (such as , !, $, #, and %)
Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.

0
 
LVL 1

Author Comment

by:dingir
ID: 17029544
Can I set difference policies for difference GPO's through this wizard? Or some other wizard? because I don't want strong passwords on users belongs to a specifik GPO. AS I can understand from other posts it's not an good idea to change the policy directly on the GPO itself?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 150 total points
ID: 17029578
Actually there is a lot of information in the Help & Support of your SBS about this... and actually it's in the FIRST item on the To-Do list, "View Security Best Practices."  Click on that, and then the first item is "protecting access to the Windows Small Business Server network from external threats" link.  Which takes you to the Configuring password policies section.

I always suggest that people look first at the Help & Support within the server first... it contains a ton of info and will link directly to appropriate MS KB articles.

It's important to remember that your SBS is most likely accessible from anywhere in the world now... so if you don't implement a decent password policy you might as well not lock the front door to your office anymore... actually that's probably still safer... you might want to remove the front doors instead.

Getting users to get used to the idea of having THEIR OWN password that is NOT SHARED with anyone takes a bit of getting used to... but it's impreative if you want to have a secure network.  You don't have to start with a TOO STRONG password, for instance you can select the items which will apply... perhaps just start with a minimum 7 digits as well as requiring complexity of characters, and changing it only every 4 months or so to begin with... eventually you should get it to at least 10 characters and changing every two months if possible.

Jeff
TechSoEasy
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:dingir
ID: 17029644
Hi Tech!

Thanks for answer. Yes and that's also recommended that I done this task After all computers and users are added, says the helpfiles :-). Because the computers can't be added before the whole server replacement, I haven't set it up yet. What are the benefits of adding all computers first? Does it make sense, because no users are affected?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 100 total points
ID: 17029978
You can only have one password policy per domain; this policy will be applied to all users. You can NOT apply a different password policy for domain users by changing the password policy in an OU; this will only apply to *local* accounts on the machines in this OU, but never to domain accounts.
What you can do with the "general" computer is check the "password never expires" option in the user's profile. If you have to change it to another weak password, disable the password policy, change the password, enable the password policy again.
For security reasons, this account should be restricted to be only allowed logons to that special machine, not any other machine.
Another option might be to create a local account on this machine, if access to domain resources isn't required.
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
0
 
LVL 1

Author Comment

by:dingir
ID: 17030087
OBda: Thank's for the answer! That's exactly what I thought I need to do.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17032682
dingir,

I would suspect that the recommendation to wait until after all computers and users are added is made with the thought that it would be a short time before that would be finished... ie, a day or two.  There's no real reason to wait to implement the policy other than for the convenience of initially setting up your network.

Jeff
TechSoEasy
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now