mailing list archives
RE: Policy enforcement- Admin accounts
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Mon, 17 Dec 2007 18:48:23 +0100
Are you talking about the local SAM default admin account on all the server boxes? Look into the PASSPROP.exe tool
(part of the Server 2000 Resource Kit tools). When run with the /ADMINLOCKOUT switch, you'll make the default admin
account subject to lockout policies as well...
You could also look into just disabling the default admin accounts via GPO. Some recommend this approach, as it's more
secure. And if need be, you can still use the local admin account when booted in safe mode, as the GPO won't disable it
If you are referring to actual domain accounts with delegated admin permissions, then the Account & Password Policies
set at the domain level will apply to them as well. Unfortunately, since the 'Password Policy' & 'Account Policy'
sections of a GPO can only be applied at the domain level, you'll have to have a separate domain to have two different
policies... You could set up an empty root domain that houses all your administrator accounts, you can think of it as
your management domain, and then your existing domain that houses all your users will be a child domain. Then, you can
administer different Password policies...
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI
Sent: Saturday, December 15, 2007 5:33 PM
To: security-basics () securityfocus com
Subject: Policy enforcement- Admin accounts
In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order
to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can
live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps?
Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy
this special policy of 15 chars minimum for admin accounts.
How should I go about this?
Re: Information Security simonis (Dec 14)
Information Security Geoff Choo (Dec 17)