| Author |
Message |
Eric Gurney
Guest
|
 Posted:
Tue Jan 04, 2005 12:39 am Post subject:
local administrator account password policy |
|
|
I am getting ready to implement (finally) a strong password policy on my
small network. My question is how to handle the local Administrator
accounts password policy. Should I put that on the same password expiration
schedule as domain accounts and change it as needed (which should be
rarely), or exclude that account from the expiration limits?
Thanks,
Eric |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Tue Jan 04, 2005 1:12 am Post subject:
Re: local administrator account password policy |
|
|
Password maximum age is generally a function of the length and complexity of
the password and who uses the local administrator passwords and are they
capable/trusted users. You certainly can configure those accounts to never
expire if that will work for you and your level of risk management. If
computers that hold critical data are physically secured, then you have much
less risk of local administrator passwords being compromised as it is easy
to reset the admin password if you have physical access to a computer.
Forcing local administrators to use a password [or better yet pass phrase]
of at least 10 characters with password complexity enabled would, everything
else being equal, allow those passwords to have a much longer maximum
password age. Disabling storage of lm hashes [assuming all W2K/XP Pro/W2003
computers] will make password cracking much more difficult after the policy
has been enabled and the password changed. Another possibility is to disable
the built in admin account [XP Pro/W2003] or giving it a really long complex
password for W2K and then issue those users that need local administrator
account access smart cards. Smart cards are not all that expensive and
fairly easy to configure. Don't underestimate social engineering in your
plans to secure your network. Most non technical users are very trusting to
requests for passwords etc. if they do not know any better. Auditing of
account logon events and account management in Domain Controller Security
policy and logon events on domain computers should also be a part of your
security strategy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
that the procedure differs for W2K and XP/W2003. Configuring security policy
on a Windows 2003 domain controller to disable lm hash will NOT apply to W2K
computers - they must have registry change.
"Eric Gurney" <egurney@iname.com> wrote in message
news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
| Quote: | I am getting ready to implement (finally) a strong password policy on my
small network. My question is how to handle the local Administrator
accounts password policy. Should I put that on the same password
expiration schedule as domain accounts and change it as needed (which
should be rarely), or exclude that account from the expiration limits?
Thanks,
Eric
|
|
|
| Back to top |
|
|
Eric Gurney
Guest
|
| Posted:
Tue Jan 04, 2005 2:17 am Post subject:
Re: local administrator account password policy |
|
|
We're looking at going with smart cards, but there are hardly ever any
logons by local users, so I guess disabling those accounts in XP and getting
extra smart cards for the local admins of the W2k servers sounds like the
best solution. No 2003 servers in the picture yet as we are still getting
ready to migrate off of SQL 7.
I will keep your auditing suggestions in mind as I continue designing our
new security policies.
Thanks,
Eric
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OZ682gc8EHA.2124@TK2MSFTNGP14.phx.gbl...
| Quote: | Password maximum age is generally a function of the length and complexity
of the password and who uses the local administrator passwords and are
they capable/trusted users. You certainly can configure those accounts to
never expire if that will work for you and your level of risk management.
If computers that hold critical data are physically secured, then you have
much less risk of local administrator passwords being compromised as it is
easy to reset the admin password if you have physical access to a
computer. Forcing local administrators to use a password [or better yet
pass phrase] of at least 10 characters with password complexity enabled
would, everything else being equal, allow those passwords to have a much
longer maximum password age. Disabling storage of lm hashes [assuming all
W2K/XP Pro/W2003 computers] will make password cracking much more
difficult after the policy has been enabled and the password changed.
Another possibility is to disable the built in admin account [XP
Pro/W2003] or giving it a really long complex password for W2K and then
issue those users that need local administrator account access smart
cards. Smart cards are not all that expensive and fairly easy to
configure. Don't underestimate social engineering in your plans to secure
your network. Most non technical users are very trusting to requests for
passwords etc. if they do not know any better. Auditing of account logon
events and account management in Domain Controller Security policy and
logon events on domain computers should also be a part of your security
strategy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
that the procedure differs for W2K and XP/W2003. Configuring security
policy on a Windows 2003 domain controller to disable lm hash will NOT
apply to W2K computers - they must have registry change.
"Eric Gurney" <egurney@iname.com> wrote in message
news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
I am getting ready to implement (finally) a strong password policy on my
small network. My question is how to handle the local Administrator
accounts password policy. Should I put that on the same password
expiration schedule as domain accounts and change it as needed (which
should be rarely), or exclude that account from the expiration limits?
Thanks,
Eric
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Jan 04, 2005 7:02 am Post subject:
Re: local administrator account password policy |
|
|
Sounds good. Keep in mind that a disabled buit in administrator account in
XP/2003 can still be accessed in safe mode. --- Steve
"Eric Gurney" <egurney@iname.com> wrote in message
news:OviyHFd8EHA.2016@TK2MSFTNGP15.phx.gbl...
| Quote: | We're looking at going with smart cards, but there are hardly ever any
logons by local users, so I guess disabling those accounts in XP and
getting extra smart cards for the local admins of the W2k servers sounds
like the best solution. No 2003 servers in the picture yet as we are
still getting ready to migrate off of SQL 7.
I will keep your auditing suggestions in mind as I continue designing our
new security policies.
Thanks,
Eric
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OZ682gc8EHA.2124@TK2MSFTNGP14.phx.gbl...
Password maximum age is generally a function of the length and complexity
of the password and who uses the local administrator passwords and are
they capable/trusted users. You certainly can configure those accounts to
never expire if that will work for you and your level of risk management.
If computers that hold critical data are physically secured, then you
have much less risk of local administrator passwords being compromised as
it is easy to reset the admin password if you have physical access to a
computer. Forcing local administrators to use a password [or better yet
pass phrase] of at least 10 characters with password complexity enabled
would, everything else being equal, allow those passwords to have a much
longer maximum password age. Disabling storage of lm hashes [assuming all
W2K/XP Pro/W2003 computers] will make password cracking much more
difficult after the policy has been enabled and the password changed.
Another possibility is to disable the built in admin account [XP
Pro/W2003] or giving it a really long complex password for W2K and then
issue those users that need local administrator account access smart
cards. Smart cards are not all that expensive and fairly easy to
configure. Don't underestimate social engineering in your plans to secure
your network. Most non technical users are very trusting to requests for
passwords etc. if they do not know any better. Auditing of account logon
events and account management in Domain Controller Security policy and
logon events on domain computers should also be a part of your security
strategy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
that the procedure differs for W2K and XP/W2003. Configuring security
policy on a Windows 2003 domain controller to disable lm hash will NOT
apply to W2K computers - they must have registry change.
"Eric Gurney" <egurney@iname.com> wrote in message
news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
I am getting ready to implement (finally) a strong password policy on my
small network. My question is how to handle the local Administrator
accounts password policy. Should I put that on the same password
expiration schedule as domain accounts and change it as needed (which
should be rarely), or exclude that account from the expiration limits?
Thanks,
Eric
|
|
|
| Back to top |
|
|
Eric Gurney
Guest
|
| Posted:
Tue Jan 04, 2005 8:04 pm Post subject:
Re: local administrator account password policy |
|
|
I'll make sure they have strong passwords.
thanks,
Eric
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ut13ckf8EHA.3336@TK2MSFTNGP11.phx.gbl...
| Quote: | Sounds good. Keep in mind that a disabled buit in administrator account in
XP/2003 can still be accessed in safe mode. --- Steve
"Eric Gurney" <egurney@iname.com> wrote in message
news:OviyHFd8EHA.2016@TK2MSFTNGP15.phx.gbl...
We're looking at going with smart cards, but there are hardly ever any
logons by local users, so I guess disabling those accounts in XP and
getting extra smart cards for the local admins of the W2k servers sounds
like the best solution. No 2003 servers in the picture yet as we are
still getting ready to migrate off of SQL 7.
I will keep your auditing suggestions in mind as I continue designing our
new security policies.
Thanks,
Eric
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OZ682gc8EHA.2124@TK2MSFTNGP14.phx.gbl...
Password maximum age is generally a function of the length and
complexity of the password and who uses the local administrator
passwords and are they capable/trusted users. You certainly can
configure those accounts to never expire if that will work for you and
your level of risk management. If computers that hold critical data are
physically secured, then you have much less risk of local administrator
passwords being compromised as it is easy to reset the admin password if
you have physical access to a computer. Forcing local administrators to
use a password [or better yet pass phrase] of at least 10 characters
with password complexity enabled would, everything else being equal,
allow those passwords to have a much longer maximum password age.
Disabling storage of lm hashes [assuming all W2K/XP Pro/W2003 computers]
will make password cracking much more difficult after the policy has
been enabled and the password changed. Another possibility is to disable
the built in admin account [XP Pro/W2003] or giving it a really long
complex password for W2K and then issue those users that need local
administrator account access smart cards. Smart cards are not all that
expensive and fairly easy to configure. Don't underestimate social
engineering in your plans to secure your network. Most non technical
users are very trusting to requests for passwords etc. if they do not
know any better. Auditing of account logon events and account management
in Domain Controller Security policy and logon events on domain
computers should also be a part of your security strategy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 -- note
that the procedure differs for W2K and XP/W2003. Configuring security
policy on a Windows 2003 domain controller to disable lm hash will NOT
apply to W2K computers - they must have registry change.
"Eric Gurney" <egurney@iname.com> wrote in message
news:ewjqNOc8EHA.824@TK2MSFTNGP11.phx.gbl...
I am getting ready to implement (finally) a strong password policy on my
small network. My question is how to handle the local Administrator
accounts password policy. Should I put that on the same password
expiration schedule as domain accounts and change it as needed (which
should be rarely), or exclude that account from the expiration limits?
Thanks,
Eric
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in