Security Basics mailing list archives
RE: Policy enforcement- Admin accounts
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Mon, 17 Dec 2007 18:48:23 +0100
Hello, Are you talking about the local SAM default admin account on all the server boxes? Look into the PASSPROP.exe tool (part of the Server 2000 Resource Kit tools). When run with the /ADMINLOCKOUT switch, you'll make the default admin account subject to lockout policies as well... You could also look into just disabling the default admin accounts via GPO. Some recommend this approach, as it's more secure. And if need be, you can still use the local admin account when booted in safe mode, as the GPO won't disable it then... If you are referring to actual domain accounts with delegated admin permissions, then the Account & Password Policies set at the domain level will apply to them as well. Unfortunately, since the 'Password Policy' & 'Account Policy' sections of a GPO can only be applied at the domain level, you'll have to have a separate domain to have two different policies... You could set up an empty root domain that houses all your administrator accounts, you can think of it as your management domain, and then your existing domain that houses all your users will be a child domain. Then, you can administer different Password policies... -Jesse -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Saturday, December 15, 2007 5:33 PM To: security-basics () securityfocus com Subject: Policy enforcement- Admin accounts In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps? Also, ONLY for admin accounts, I want to enforce certain settings like: Password should contain atleast 15 characters, should not contain a dictionary word etc. My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy this special policy of 15 chars minimum for admin accounts. How should I go about this?
Current thread:
- Re: Policy enforcement- Admin accounts, (continued)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- Re: Policy enforcement- Admin accounts Charles Hardin (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- RE: Policy enforcement- Admin accounts Can Deger (Dec 18)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 18)
- RE: Policy enforcement- Admin accounts Scalcione.David (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 17)
- Discussing Microsoft Forefront security attempt WALI (Dec 24)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 17)