Password Policy revisited

  • Thread starter Thread starter Tim M
  • Start date Start date
T

Tim M

I am running a Windows 2000 Domain. Within AD, I have
multiple OU's that represent different sites. The problem
is, I ONLY want to have a password policy for 1 OU that
represents my company's headquarters. I have done
numerous reading and I have been running Win2000 for about
3 years. I know password policy is set only from the GPO
Default Domain policy(at the domain level). My question
is, what if I created a GPO at the domain level next to
Default Domain policy. Now I would have two GPO's at the
domain level. I would configure a password policy on my
new GPO. Then I would set permissions on all the other
OU's to be unable to read this new GPO except for my
companies headquarters OU/user group. Would this work?
 
No.
The reason behind having one password policy per domain is that if you
enabled complex passwords on an OU and not the entire domain, it would do no
good.
An attacker would concentrate on cracking the "weak" passwords not the
strong. If there is reason to enforce strong passwords on the domain, you
need to do it for the entire domain.
Kind of like putting three key locks on all doors except the back door, then
putting only one key lock on the back door because that is the door you use
the most.

They get in through your weakest link.

I'm sure you have read that if password policy needs to vary from one
place/office to the next you should set them up in a separate domain. That
is so when you secure that domain with your password policy you secure what
needs to be secure (entirely) and you can relax the security of your other
domains.


hth
DDS W 2k MVP MCSE
 
Hi Tim

As Danny mentions, password policy is something you really don't want to
compromise on. I find an excellent document that discusses the use of "pass
phrases" as well as many other aspects of password policy can be found at:

http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/select_sec_passwords.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi again

Actually, something that's quite useful is

http://www.microsoft.com/security/guidance/default.mspx

Security Guidance Center. Answers most security related questions.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Mark Renoden said:
Hi Tim

As Danny mentions, password policy is something you really don't want to
compromise on. I find an excellent document that discusses the use of
"pass phrases" as well as many other aspects of password policy can be
found at:


http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/select_sec_passwords.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Danny Sanders said:
No.
The reason behind having one password policy per domain is that if you
enabled complex passwords on an OU and not the entire domain, it would do
no
good.
An attacker would concentrate on cracking the "weak" passwords not the
strong. If there is reason to enforce strong passwords on the domain, you
need to do it for the entire domain.
Kind of like putting three key locks on all doors except the back door,
then
putting only one key lock on the back door because that is the door you
use
the most.

They get in through your weakest link.

I'm sure you have read that if password policy needs to vary from one
place/office to the next you should set them up in a separate domain.
That
is so when you secure that domain with your password policy you secure
what
needs to be secure (entirely) and you can relax the security of your
other
domains.


hth
DDS W 2k MVP MCSE
 
Back
Top