Educause Security Discussion mailing list archives

Re: Active Directory Password Strength

From: "Riedl, Steve Thomas" <sriedl () KU EDU>
Date: Thu, 17 Nov 2005 09:38:51 -0600

You can set logging so that you can see success or failure from any
client that tries to auth against the DCs. Also keep in mind that the AD
uses a centralized SAM database so password requirements affect the
entire domain not just certain organizational units. There are also some
VB tools out there that can assist in setting this whole thing up as far
as getting a list of PWD last changed dates and with some modifications
you can actually create a pwd change event without actually changing the
password. This is helpful if you want to tell users something like
starting today you will have to change your password every 30 days. It
kind of brings everything up to a baseline. We used some of these tools
and made some mods on an AD with about 1000 users and everything went
well. 

-----Original Message-----
From: Cary, Kim [mailto:Kim.Cary () PEPPERDINE EDU] 
Sent: Wednesday, November 16, 2005 10:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Active Directory Password Strength

Outstanding comment Russell -- locking out unused accounts is very
helpful.
The problem we've had in the past (NT4 Domain) is that some 'domain
accounts' do not show up as having logged in (from the domain admins
POV) because they never log in to the domain directly. They are quite
active with LDAP binds, Exchange POP logins, etc. which are back ended
to the domain.
While the Domain 'bad attempt lockout' policy applies to these various
logins, admins could not find a central place to see 'account activity'.
Is there a central place under AD where you can find that a successful
authentication has taken place from ANY client against the domain
credentials?


On 11/15/05 9:00 PM, "SECURITY automatic digest system"
<LISTSERV () LISTSERV EDUCAUSE EDU> wrote:

Date:    Wed, 16 Nov 2005 10:58:14 +1300
From:    Russell Fulton <r.fulton () AUCKLAND AC NZ>
Subject: Re: Active Directory Password Strength

One thing I think is more important than frequent changes of password 
is to automatically disable accounts that have not been used for some 
extended period of time. There will need to be exceptions but for the 
most part disabling accounts that have not been used for 3 months is a

good idea.  Don't delete anything at this stage just disable the

access.

Current thread:

Active Directory Password Strength Cary, Kim (Nov 14)
- <Possible follow-ups>
- Re: Active Directory Password Strength Tim Howard (Nov 14)
- Re: Active Directory Password Strength Stewart, Ian (Nov 14)
- Re: Active Directory Password Strength Lucas, Bryan (Nov 14)
- Re: Active Directory Password Strength Bradley Ellis (Nov 14)
- Re: Active Directory Password Strength Graham Toal (Nov 15)
- Re: Active Directory Password Strength Russell Fulton (Nov 15)
- Re: Active Directory Password Strength Cary, Kim (Nov 16)
- Re: Active Directory Password Strength Graham Toal (Nov 16)
- Re: Active Directory Password Strength Eric Brewer (Nov 16)
- Re: Active Directory Password Strength Riedl, Steve Thomas (Nov 17)
- Re: Active Directory Password Strength Russell Fulton (Nov 25)