Home page logo

basics logo Security Basics mailing list archives

RE: Policy enforcement- Admin accounts
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Mon, 17 Dec 2007 18:48:23 +0100


Are you talking about the local SAM default admin account on all the server boxes? Look into the PASSPROP.exe tool 
(part of the Server 2000 Resource Kit tools). When run with the /ADMINLOCKOUT switch, you'll make the default admin 
account subject to lockout policies as well...

You could also look into just disabling the default admin accounts via GPO. Some recommend this approach, as it's more 
secure. And if need be, you can still use the local admin account when booted in safe mode, as the GPO won't disable it 

If you are referring to actual domain accounts with delegated admin permissions, then the Account & Password Policies 
set at the domain level will apply to them as well. Unfortunately, since the 'Password Policy' & 'Account Policy' 
sections of a GPO can only be applied at the domain level, you'll have to have a separate domain to have two different 
policies... You could set up an empty root domain that houses all your administrator accounts, you can think of it as 
your management domain, and then your existing domain that houses all your users will be a child domain. Then, you can 
administer different Password policies...


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI
Sent: Saturday, December 15, 2007 5:33 PM
To: security-basics () securityfocus com
Subject: Policy enforcement- Admin accounts

In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order 
to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can 
live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like: 
Password should contain atleast 15 characters, should not contain a dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy 
this special policy of 15 chars minimum for admin accounts.

How should I go about this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]