Security Basics mailing list archives

RE: Policy enforcement- Admin accounts

From: "Scalcione.David" <SCALCIONED () YANB com>
Date: Mon, 17 Dec 2007 11:40:45 -0500

Create a group policy and apply it only to the security group and OU that contains all the admin users.

David Scalcione



-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of WALI
Sent: Saturday, December 15, 2007 11:33
To: security-basics () securityfocus com
Subject: Policy enforcement- Admin accounts


In an active directory environment (windows 2003), I want to ensure lockout 
for administrator accounts also, in order to protect against attempts to 
brute force account password. The flipside is, we might have a DoS situation 
but I can live with it. Is there a tool I can deploy to ensure that admin 
account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like: 
Password should contain atleast 15 characters, should not contain a 
dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a 
minimum of 8 chars but I want to deploy this special policy of 15 chars 
minimum for admin accounts.

How should I go about this? 
 
The information contained in this communication is confidential and privileged information intended only for the use of 
the individual or entity to which it is addressed. If you are not the addressee indicated in this message (or an agent 
responsible for delivery of the message to such person), you are hereby notified that you have received this 
communication in error and that any review, dissemination, copying, or any action or omission taken by you in reliance 
on it, is strictly prohibited. Please destroy this message and notify the sender immediately if you have received it in 
error.
Please also advise immediately if you or your employer do not consent to e-mail communications. Opinions, conclusions 
and other information in this message that do not relate to the official business of Yardville National Bank shall be 
understood as neither given nor endorsed by it.

Current thread:

Re: Policy enforcement- Admin accounts, (continued)
- - - Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
    - Re: Policy enforcement- Admin accounts Raoul Armfield (Dec 18)
    - Re: Policy enforcement- Admin accounts MaddHatter (Dec 18)
    - Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
    - Re: Policy enforcement- Admin accounts Charles Hardin (Dec 18)
    - Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
    - Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
    - Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
    - RE: Policy enforcement- Admin accounts Can Deger (Dec 18)
    - RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 18)
    - RE: Policy enforcement- Admin accounts Scalcione.David (Dec 17)
    - Re: Policy enforcement- Admin accounts mgk.mailing (Dec 17)
    - Discussing Microsoft Forefront security attempt WALI (Dec 24)
    - RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 17)
- Re: Information Security simonis (Dec 14)
- Information Security Geoff Choo (Dec 17)