Solved

Fine Grained Password Policy Best Practice

Posted on 2015-01-19
2
122 Views
Last Modified: 2015-05-11
Hello,

I'm looking for a documentation on best practice Fine grained passwords policy as far as implementation in an organization. I'm not looking for configuration document.
What's the best practice password policy with FGPP.
an FGPP for
1-VIP
2-Admins level 1
3-Admins level 2

What's new with FGPP on Windows server 2012 beside graphical interface ???

I have to sell the technology beside technical possibility offert by FGPP.

I can't find any doc on the net on which i can rely on beside how to configure FGPP document.....

Thank you

Best Regards,
0
Comment
Question by:AMATERASOU
2 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40558176
Take a look at the following technet below whcih provides both steps and also PSO structure and special considerations.

Basically other than the UI for PSO's in 2012 there is really no other differences. You won't find a clear cut Best Practices when using PSO other then some considerations. Basic Password principals apply. Also every environment is different and using PSO's allows you to create "out of the norm" password policies that different from the default domain policy.

Some things to take into consideration "which are mentioned in the technet" are using Security Groups rather then using OU's to apply the policies. This way you can add/remove users from the Security Group rather than move them into an OU and have the user lose or have to re-jig group policies to apply correctly for that specific group of users.

FGPP Info

Will.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40558178
I believe you are asking for best practices concerning password policies, realizing that FGPP are just one tool now available to implement those policies.  Password policies are still debated by the security experts I've listened to in the past.  I still come across folks who advocate for account lockouts, other who indicate that lockouts are now only a mechanism which makes some DoS easier for attackers.  There are a LOT of recommendations, and some of them conflict.

So, I think you'll want to look at some of the articles on Password Policies in general.  "Rethinking Password Policies" and "Password Management" for example.  Next consider your user community(communities).  If they're homogenous, and all have roughly the same security requirements, then you probably do not need FGPP.  If you have different needs amongst different groups of users, you may want to consider implementing FGPP.  (For example, does the maintenance worker who only logs into the system to access their time sheet and print need the same type of sixteen character complex password that your database administrators may need?)  Before FGPP were available, it was fairly painful to implement different password policies for different groups of users.  But again... it's just one more tool, but you need to look at your users to determine if this tool is appropriate.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question