RE: Changing the domain password policy

["Murda Mcloud" <murdamcloud () bigpond com>]

Sounds like the perfect scream test. Change it and see who screams when
something breaks. 
Your idea of giving notice should be the best I think. Give them plenty of
time and several reminders. Then if they've stopped playing WoW for long
enough they may actually change the password with the new requirements and
then change it. Anyone who hasn't changed the password will scream.
(Especially if they can't play WoW any more)
I wonder whether it would be worth running some pwcracker against their new
passwords after they say that they've changed it and finding just how
complex they are.
I had to do something similar when we moved to W2003/AD and it was basically
a passphrase training session utilising a not too serious help page with
ideas I'd got from a book which I have actually forgotten the name of-just
like my password!


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Gary Collis
Sent: Tuesday, October 17, 2006 5:04 AM
To: security-basics () securityfocus com
Subject: Changing the domain password policy

Hi List,

I am going to enforce some domain password standards on a w2k domain. I 
am going to set the password policy to a more complex level then it 
already is.

The questions I have are;

There are a number of service and application accounts to which 
developers have set a number of weak passwords. So my plan is to
contact the developers and request them to change passwords to these 
accounts, so applications and such do not break during transistion. What 
is the best way to do this?

In general is there anything else that anyone can recommend? What else 
should I consider? I am sure someone here must of done this before. What 
are your experiences of this?

When is the password policy enforced?

Does this affect the domain admin account?

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------