Security Basics mailing list archives

Re: User Naming conventions - Active directory Windows 2003

From: "Kurt Buff" <kurt.buff () gmail com>
Date: Mon, 11 Feb 2008 13:01:47 -0800

On Feb 9, 2008 10:19 AM, WALI <hkhasgiwale () gmail com> wrote:


 Current scenario:

 AD user login name 'firstname.lastname'
 user email account; 'firstname.lastname () mail com'
 email display name: lastname, firstname

 In case of duplicates found within domain:

 New AD user login name 'firstname.lastname123'. Old account remains the
 same.
 (numerical values are added infront of the new user account)
 user email account; 'firstname.lastname123 () mail com'
 email display name (GAL): lastname, firstname, middle initial (for both old
 and new user - mutually agreed)

 Disadvantages of current convention:
 - Login accounts same as email IDs leads to a situation where looking at
 internally published email listing, it's easy to guess user's AD login
 account.
 - A malicious user can lead someone else's account to lock out condition by
trying wrong password 5 times, as that's the 'Account lockout policy'
 setting.
 - Duplicates are not making sense.

 Any advise!!??


Sure. Don't panic, it's no big deal. See, for example, psgetsid.exe
from www.microsoft.com/sysinternals. Once you have the domain prefix
of your own (non-administrator) SID, it's trivial to use a tool like
this to get AD IDs by simply incrementing the SID. For the
Administrator account, it's even easier, as that account always ends
in 500.

What you need instead is a proper auditing/notification setup. If
someone with an IP address or machine name from your Switzerland
office is locking out or trying out passwords against an account in
your British office, you should be notified. If an account is
frequently and consistently getting locked, or if there are an
abnormal number of account lockouts in general, your system should
notifiy you. That's the better way of doing things.

It's much better and simpler to ensure proper length and complexity of
passwords, and keep the IDs simple and easy to remember. At my
$medium-sized-employer we went from a very obscure naming scheme
(FI+MI+LI+4digits) to one that was much easier to use (FI+LName), and
it's much easier to use and administer now.

Just remember, passphrases (I actually use whole sentences) are easier
to remember and easier (if a bit more time-consuming) to type. Crank
up the length to something more than 15, and you should be good to go.

Kurt

Current thread:

User Naming conventions - Active directory Windows 2003 WALI (Feb 11)
- RE: User Naming conventions - Active directory Windows 2003 Lubrano di Ciccone, Christophe (DEF) (Feb 11)
- Re: User Naming conventions - Active directory Windows 2003 Kurt Buff (Feb 11)