Solved

Best Practice passwords

Posted on 2011-03-01
5
625 Views
Last Modified: 2013-11-05
I searched (perhaps not very well) for some best practice recommendations for the various password / account lockout parameters and recommended settings in a medium security 2003 domain. I know there is such a MS document as I remember reading it many moons ago, and it had recommendations for either low/medium/security environments for all the possible password/account lockout parameters? Anyone know of similar or where I can download it...
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Accepted Solution

by:
JanStoops earned 25 total points
ID: 35005039
0
 
LVL 4

Assisted Solution

by:MarioAlcaide
MarioAlcaide earned 25 total points
ID: 35005074
0
 
LVL 3

Assisted Solution

by:jetpowercom
jetpowercom earned 25 total points
ID: 35005093
A lot of documentation exists on this.  Here are two sources from Microsoft::  

MS - Configuring Account Lockout

MS - Account Lockout Whitepaper

While every environment has its own particular considerations, these are two which should provide you with defensible best practice recommendations.

Hope this helps!
0
 
LVL 7

Assisted Solution

by:FemSteenkamp
FemSteenkamp earned 25 total points
ID: 35005461
Just a side note which most papers don't mention.

If you have account lockout settings enabled, make sure you have helpdesk capacity to handle the additional workload.  A significant number of applicaions (e.g. adobe, IM's mail clients, browser bars,old TS connections, etc) store passwords locally and will use these to look for updates on internet (proxy authentication is used) or connect to mail services.

without account lockout, these just fail in teh background. with loackout enabled they will lock the account of the user, interupting his normall mail file access when account is locked.  finding the root cause of the cached/old password  is tricky and you might have to resolve to specific tools (e.g. microsofs account lockout tools (ALTOOLS) to identify which users in a domain is being locked out, and then troubleshooting what is causing the lockout.

also be carefull of not getting too aggresive with password requirements (length, time to change) as most people will just resort to writing passwords down soemwhere, defeating the password security, although you might still pass yout IT audit for having the settings in place

 
0
 
LVL 11

Assisted Solution

by:marek1712
marek1712 earned 25 total points
ID: 35007564
NSA released plenty of the information about securing Microsoft's OSes:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question