Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Policy enforcement- Admin accounts

from [Can Deger] Network Security [Permanent Link]
Subject: RE: Policy enforcement- Admin accounts
Date: Tue, 18 Dec 2007 09:15:25 +0200 
Wow thanks, I didn't know that. I remember that we could use passprop, but
didn't try to use it on the 
2k3 domain...

Thanks for the update :)


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Paul J. Brickett
Sent: 17 Aralık 2007 Pazartesi 21:55
To: Can DEGER
Cc: security-basics@securityfocus.com;
security-basics-return-46896@securityfocus.com
Subject: Re: Policy enforcement- Admin accounts

Charles is correct in regards to the inability to set password policies on 
an OU basis.

He is not correct in regards to the default domain Administrator account 
not being able to be locked. Please consult the following MS article, 
which describes how to configure the domain\administrator account to 
lockout using ADSIedit:
http://support.microsoft.com/kb/885119


On Mon, 17 Dec 2007, Can DEGER wrote:


Charles Hardin is absolutely right, on this subject, you cant set
password policies with OUs.. :(
thats why, security professionals advising the administrators, to
disable the "admin" account (even rename it)
and then use another account with the "admin" privileges. after you
have yourself that kind of an account you can set the account lockout
policy for it..
unfotunately password policies are set domain wide.

As Charles Hardin mentioned below, moving your accounts to another
domain, should establish a trust between your domain and admin domain,
so that management would not be a problem...




On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm@gmail.com> wrote:

Sadly with AD you can only have one account security policy per
domain. You would need to make a second domain in your forest and move
your admin accounts there. Also remember the actual Administrator
account CANNOT be locked out.




On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale@gmail.com> wrote:

In an active directory environment (windows 2003), I want to ensure

lockout

for administrator accounts also, in order to protect against attempts to
brute force account password. The flipside is, we might have a DoS

situation

but I can live with it. Is there a tool I can deploy to ensure that

admin

account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain level

is a

minimum of 8 chars but I want to deploy this special policy of 15 chars
minimum for admin accounts.

How should I go about this?
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What is heap spraying ?, vachanta
Next by Date:  [Fwd: Re: Policy enforcement- Admin accounts], mgk.mailing
Previous by Thread:  Re: Policy enforcement- Admin accounts, Paul J. Brickett
Next by Thread:  RE: Policy enforcement- Admin accounts, Jesse Eaton
Indexes:  [Date] [Thread] [Top] [All Lists]