Security Basics mailing list archives
Re: User Naming conventions - Active directory Windows 2003
From: "Kurt Buff" <kurt.buff () gmail com>
Date: Mon, 11 Feb 2008 13:01:47 -0800
On Feb 9, 2008 10:19 AM, WALI <hkhasgiwale () gmail com> wrote:
Current scenario: AD user login name 'firstname.lastname' user email account; 'firstname.lastname () mail com' email display name: lastname, firstname In case of duplicates found within domain: New AD user login name 'firstname.lastname123'. Old account remains the same. (numerical values are added infront of the new user account) user email account; 'firstname.lastname123 () mail com' email display name (GAL): lastname, firstname, middle initial (for both old and new user - mutually agreed) Disadvantages of current convention: - Login accounts same as email IDs leads to a situation where looking at internally published email listing, it's easy to guess user's AD login account. - A malicious user can lead someone else's account to lock out condition by trying wrong password 5 times, as that's the 'Account lockout policy' setting. - Duplicates are not making sense. Any advise!!??
Sure. Don't panic, it's no big deal. See, for example, psgetsid.exe from www.microsoft.com/sysinternals. Once you have the domain prefix of your own (non-administrator) SID, it's trivial to use a tool like this to get AD IDs by simply incrementing the SID. For the Administrator account, it's even easier, as that account always ends in 500. What you need instead is a proper auditing/notification setup. If someone with an IP address or machine name from your Switzerland office is locking out or trying out passwords against an account in your British office, you should be notified. If an account is frequently and consistently getting locked, or if there are an abnormal number of account lockouts in general, your system should notifiy you. That's the better way of doing things. It's much better and simpler to ensure proper length and complexity of passwords, and keep the IDs simple and easy to remember. At my $medium-sized-employer we went from a very obscure naming scheme (FI+MI+LI+4digits) to one that was much easier to use (FI+LName), and it's much easier to use and administer now. Just remember, passphrases (I actually use whole sentences) are easier to remember and easier (if a bit more time-consuming) to type. Crank up the length to something more than 15, and you should be good to go. Kurt
Current thread:
- User Naming conventions - Active directory Windows 2003 WALI (Feb 11)
- RE: User Naming conventions - Active directory Windows 2003 Lubrano di Ciccone, Christophe (DEF) (Feb 11)
- Re: User Naming conventions - Active directory Windows 2003 Kurt Buff (Feb 11)