Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Policy enforcement- Admin accounts

from [Jesse Eaton] Network Security [Permanent Link]
Subject: RE: Policy enforcement- Admin accounts
Date: Mon, 17 Dec 2007 18:48:23 +0100 
Hello,

Are you talking about the local SAM default admin account on all the server 
boxes? Look into the PASSPROP.exe tool (part of the Server 2000 Resource Kit 
tools). When run with the /ADMINLOCKOUT switch, you'll make the default admin 
account subject to lockout policies as well...

You could also look into just disabling the default admin accounts via GPO. 
Some recommend this approach, as it's more secure. And if need be, you can 
still use the local admin account when booted in safe mode, as the GPO won't 
disable it then...

If you are referring to actual domain accounts with delegated admin 
permissions, then the Account & Password Policies set at the domain level will 
apply to them as well. Unfortunately, since the 'Password Policy' & 'Account 
Policy' sections of a GPO can only be applied at the domain level, you'll have 
to have a separate domain to have two different policies... You could set up an 
empty root domain that houses all your administrator accounts, you can think of 
it as your management domain, and then your existing domain that houses all 
your users will be a child domain. Then, you can administer different Password 
policies...

-Jesse


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of WALI
Sent: Saturday, December 15, 2007 5:33 PM
To: security-basics@securityfocus.com
Subject: Policy enforcement- Admin accounts

In an active directory environment (windows 2003), I want to ensure lockout for 
administrator accounts also, in order to protect against attempts to brute 
force account password. The flipside is, we might have a DoS situation but I 
can live with it. Is there a tool I can deploy to ensure that admin account 
also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like: 
Password should contain atleast 15 characters, should not contain a dictionary 
word etc.
My normal password policy for AD user accounts, set at the domain level is a 
minimum of 8 chars but I want to deploy this special policy of 15 chars minimum 
for admin accounts.

How should I go about this?
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Policy enforcement- Admin accounts, Ricky Kerby
Next by Date:  Re: Policy enforcement- Admin accounts, Paul J. Brickett
Previous by Thread:  Discussing Microsoft Forefront security attempt, WALI
Next by Thread:  Re: Information Security, simonis
Indexes:  [Date] [Thread] [Top] [All Lists]