Solved

Best Practice passwords

Posted on 2011-03-01
5
626 Views
Last Modified: 2013-11-05
I searched (perhaps not very well) for some best practice recommendations for the various password / account lockout parameters and recommended settings in a medium security 2003 domain. I know there is such a MS document as I remember reading it many moons ago, and it had recommendations for either low/medium/security environments for all the possible password/account lockout parameters? Anyone know of similar or where I can download it...
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Accepted Solution

by:
JanStoops earned 25 total points
ID: 35005039
0
 
LVL 4

Assisted Solution

by:MarioAlcaide
MarioAlcaide earned 25 total points
ID: 35005074
0
 
LVL 3

Assisted Solution

by:jetpowercom
jetpowercom earned 25 total points
ID: 35005093
A lot of documentation exists on this.  Here are two sources from Microsoft::  

MS - Configuring Account Lockout

MS - Account Lockout Whitepaper

While every environment has its own particular considerations, these are two which should provide you with defensible best practice recommendations.

Hope this helps!
0
 
LVL 7

Assisted Solution

by:FemSteenkamp
FemSteenkamp earned 25 total points
ID: 35005461
Just a side note which most papers don't mention.

If you have account lockout settings enabled, make sure you have helpdesk capacity to handle the additional workload.  A significant number of applicaions (e.g. adobe, IM's mail clients, browser bars,old TS connections, etc) store passwords locally and will use these to look for updates on internet (proxy authentication is used) or connect to mail services.

without account lockout, these just fail in teh background. with loackout enabled they will lock the account of the user, interupting his normall mail file access when account is locked.  finding the root cause of the cached/old password  is tricky and you might have to resolve to specific tools (e.g. microsofs account lockout tools (ALTOOLS) to identify which users in a domain is being locked out, and then troubleshooting what is causing the lockout.

also be carefull of not getting too aggresive with password requirements (length, time to change) as most people will just resort to writing passwords down soemwhere, defeating the password security, although you might still pass yout IT audit for having the settings in place

 
0
 
LVL 11

Assisted Solution

by:marek1712
marek1712 earned 25 total points
ID: 35007564
NSA released plenty of the information about securing Microsoft's OSes:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question