?
Solved

Best Practice passwords

Posted on 2011-03-01
5
Medium Priority
?
629 Views
Last Modified: 2013-11-05
I searched (perhaps not very well) for some best practice recommendations for the various password / account lockout parameters and recommended settings in a medium security 2003 domain. I know there is such a MS document as I remember reading it many moons ago, and it had recommendations for either low/medium/security environments for all the possible password/account lockout parameters? Anyone know of similar or where I can download it...
0
Comment
Question by:pma111
5 Comments
 
LVL 3

Accepted Solution

by:
JanStoops earned 100 total points
ID: 35005039
0
 
LVL 4

Assisted Solution

by:MarioAlcaide
MarioAlcaide earned 100 total points
ID: 35005074
0
 
LVL 3

Assisted Solution

by:jetpowercom
jetpowercom earned 100 total points
ID: 35005093
A lot of documentation exists on this.  Here are two sources from Microsoft::  

MS - Configuring Account Lockout

MS - Account Lockout Whitepaper

While every environment has its own particular considerations, these are two which should provide you with defensible best practice recommendations.

Hope this helps!
0
 
LVL 7

Assisted Solution

by:FemSteenkamp
FemSteenkamp earned 100 total points
ID: 35005461
Just a side note which most papers don't mention.

If you have account lockout settings enabled, make sure you have helpdesk capacity to handle the additional workload.  A significant number of applicaions (e.g. adobe, IM's mail clients, browser bars,old TS connections, etc) store passwords locally and will use these to look for updates on internet (proxy authentication is used) or connect to mail services.

without account lockout, these just fail in teh background. with loackout enabled they will lock the account of the user, interupting his normall mail file access when account is locked.  finding the root cause of the cached/old password  is tricky and you might have to resolve to specific tools (e.g. microsofs account lockout tools (ALTOOLS) to identify which users in a domain is being locked out, and then troubleshooting what is causing the lockout.

also be carefull of not getting too aggresive with password requirements (length, time to change) as most people will just resort to writing passwords down soemwhere, defeating the password security, although you might still pass yout IT audit for having the settings in place

 
0
 
LVL 11

Assisted Solution

by:marek1712
marek1712 earned 100 total points
ID: 35007564
NSA released plenty of the information about securing Microsoft's OSes:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question