Solved

Best Practice passwords

Posted on 2011-03-01
5
617 Views
Last Modified: 2013-11-05
I searched (perhaps not very well) for some best practice recommendations for the various password / account lockout parameters and recommended settings in a medium security 2003 domain. I know there is such a MS document as I remember reading it many moons ago, and it had recommendations for either low/medium/security environments for all the possible password/account lockout parameters? Anyone know of similar or where I can download it...
0
Comment
Question by:pma111
5 Comments
 
LVL 3

Accepted Solution

by:
JanStoops earned 25 total points
Comment Utility
0
 
LVL 4

Assisted Solution

by:MarioAlcaide
MarioAlcaide earned 25 total points
Comment Utility
0
 
LVL 3

Assisted Solution

by:jetpowercom
jetpowercom earned 25 total points
Comment Utility
A lot of documentation exists on this.  Here are two sources from Microsoft::  

MS - Configuring Account Lockout

MS - Account Lockout Whitepaper

While every environment has its own particular considerations, these are two which should provide you with defensible best practice recommendations.

Hope this helps!
0
 
LVL 7

Assisted Solution

by:FemSteenkamp
FemSteenkamp earned 25 total points
Comment Utility
Just a side note which most papers don't mention.

If you have account lockout settings enabled, make sure you have helpdesk capacity to handle the additional workload.  A significant number of applicaions (e.g. adobe, IM's mail clients, browser bars,old TS connections, etc) store passwords locally and will use these to look for updates on internet (proxy authentication is used) or connect to mail services.

without account lockout, these just fail in teh background. with loackout enabled they will lock the account of the user, interupting his normall mail file access when account is locked.  finding the root cause of the cached/old password  is tricky and you might have to resolve to specific tools (e.g. microsofs account lockout tools (ALTOOLS) to identify which users in a domain is being locked out, and then troubleshooting what is causing the lockout.

also be carefull of not getting too aggresive with password requirements (length, time to change) as most people will just resort to writing passwords down soemwhere, defeating the password security, although you might still pass yout IT audit for having the settings in place

 
0
 
LVL 11

Assisted Solution

by:marek1712
marek1712 earned 25 total points
Comment Utility
NSA released plenty of the information about securing Microsoft's OSes:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now