Educause Security Discussion mailing list archives
Re: Active Directory Password Strength
From: "Riedl, Steve Thomas" <sriedl () KU EDU>
Date: Thu, 17 Nov 2005 09:38:51 -0600
You can set logging so that you can see success or failure from any client that tries to auth against the DCs. Also keep in mind that the AD uses a centralized SAM database so password requirements affect the entire domain not just certain organizational units. There are also some VB tools out there that can assist in setting this whole thing up as far as getting a list of PWD last changed dates and with some modifications you can actually create a pwd change event without actually changing the password. This is helpful if you want to tell users something like starting today you will have to change your password every 30 days. It kind of brings everything up to a baseline. We used some of these tools and made some mods on an AD with about 1000 users and everything went well. -----Original Message----- From: Cary, Kim [mailto:Kim.Cary () PEPPERDINE EDU] Sent: Wednesday, November 16, 2005 10:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Active Directory Password Strength Outstanding comment Russell -- locking out unused accounts is very helpful. The problem we've had in the past (NT4 Domain) is that some 'domain accounts' do not show up as having logged in (from the domain admins POV) because they never log in to the domain directly. They are quite active with LDAP binds, Exchange POP logins, etc. which are back ended to the domain. While the Domain 'bad attempt lockout' policy applies to these various logins, admins could not find a central place to see 'account activity'. Is there a central place under AD where you can find that a successful authentication has taken place from ANY client against the domain credentials? On 11/15/05 9:00 PM, "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU> wrote:
Date: Wed, 16 Nov 2005 10:58:14 +1300 From: Russell Fulton <r.fulton () AUCKLAND AC NZ> Subject: Re: Active Directory Password Strength One thing I think is more important than frequent changes of password is to automatically disable accounts that have not been used for some extended period of time. There will need to be exceptions but for the most part disabling accounts that have not been used for 3 months is a
good idea. Don't delete anything at this stage just disable the
access.
Current thread:
- Active Directory Password Strength Cary, Kim (Nov 14)
- <Possible follow-ups>
- Re: Active Directory Password Strength Tim Howard (Nov 14)
- Re: Active Directory Password Strength Stewart, Ian (Nov 14)
- Re: Active Directory Password Strength Lucas, Bryan (Nov 14)
- Re: Active Directory Password Strength Bradley Ellis (Nov 14)
- Re: Active Directory Password Strength Graham Toal (Nov 15)
- Re: Active Directory Password Strength Russell Fulton (Nov 15)
- Re: Active Directory Password Strength Cary, Kim (Nov 16)
- Re: Active Directory Password Strength Graham Toal (Nov 16)
- Re: Active Directory Password Strength Eric Brewer (Nov 16)
- Re: Active Directory Password Strength Riedl, Steve Thomas (Nov 17)
- Re: Active Directory Password Strength Russell Fulton (Nov 25)