Password Policy revisited

T

Tim M

I am running a Windows 2000 Domain. Within AD, I have
multiple OU's that represent different sites. The problem
is, I ONLY want to have a password policy for 1 OU that
represents my company's headquarters. I have done
numerous reading and I have been running Win2000 for about
3 years. I know password policy is set only from the GPO
Default Domain policy(at the domain level). My question
is, what if I created a GPO at the domain level next to
Default Domain policy. Now I would have two GPO's at the
domain level. I would configure a password policy on my
new GPO. Then I would set permissions on all the other
OU's to be unable to read this new GPO except for my
companies headquarters OU/user group. Would this work?
 
D

Danny Sanders

No.
The reason behind having one password policy per domain is that if you
enabled complex passwords on an OU and not the entire domain, it would do no
good.
An attacker would concentrate on cracking the "weak" passwords not the
strong. If there is reason to enforce strong passwords on the domain, you
need to do it for the entire domain.
Kind of like putting three key locks on all doors except the back door, then
putting only one key lock on the back door because that is the door you use
the most.

They get in through your weakest link.

I'm sure you have read that if password policy needs to vary from one
place/office to the next you should set them up in a separate domain. That
is so when you secure that domain with your password policy you secure what
needs to be secure (entirely) and you can relax the security of your other
domains.


hth
DDS W 2k MVP MCSE
 
M

Mark Renoden [MSFT]

Hi Tim

As Danny mentions, password policy is something you really don't want to
compromise on. I find an excellent document that discusses the use of "pass
phrases" as well as many other aspects of password policy can be found at:

http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/select_sec_passwords.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Mark Renoden [MSFT]

Hi again

Actually, something that's quite useful is

http://www.microsoft.com/security/guidance/default.mspx

Security Guidance Center. Answers most security related questions.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Mark Renoden said:
Hi Tim

As Danny mentions, password policy is something you really don't want to
compromise on. I find an excellent document that discusses the use of
"pass phrases" as well as many other aspects of password policy can be
found at:


http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/select_sec_passwords.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Danny Sanders said:
No.
The reason behind having one password policy per domain is that if you
enabled complex passwords on an OU and not the entire domain, it would do
no
good.
An attacker would concentrate on cracking the "weak" passwords not the
strong. If there is reason to enforce strong passwords on the domain, you
need to do it for the entire domain.
Kind of like putting three key locks on all doors except the back door,
then
putting only one key lock on the back door because that is the door you
use
the most.

They get in through your weakest link.

I'm sure you have read that if password policy needs to vary from one
place/office to the next you should set them up in a separate domain.
That
is so when you secure that domain with your password policy you secure
what
needs to be secure (entirely) and you can relax the security of your
other
domains.


hth
DDS W 2k MVP MCSE
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Win2k group policy problem 2
Assistance Please - Policy Order Doesn't Seem To Work Out Right. 1
Problem with Password Policy 3
Password policy not enforced 1
Using Group Policy to define a Password Policy 1
Block Policy Inheritance not working as anticipated 4
GPO Password Policy is applied but not working 4
Password Policy 4

Top