[gptalk] Re: Difficulty applying policies
- From: Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx>
- To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 14 Jan 2008 13:41:07 -0800
Jakob,
Thanks for your valuable information and insight.
I read your articles on the Fine-grained password policies and they are very
helpful.
As far as auditing fine-grained PSO's are concerned- does adjusting the
PSO-Applies-to attribute of a PSO log an event on the domain controllers event
logs if it is changed? Can you enable auditing on a PSO the same way you can
enable auditing on a GPO- oh wait- you cant set auditing on a GPO-so if you can
please elaborate I would very much appreciate it as I am very interested in
finding a viable way to do this.
On the fingerprint reader comment-" Well, maybe I'm just getting old and
grumpy;-)"- well from your pics you don't look old- but grumpy- well only you
can answer that :)
As far as the MS USB fingerprint reader- the software included from
digitalpersona does not allow for domain logon- but with many of the new
laptops that come with fingerprint readers there is new software that will
allow for the use of the finger print to provide both the userid and the
password- once the info is stored within the software credential manager- "for
lack of a better term".
I have deployed HP laptops with the built in fingerprint reader- but this is a
finger print swiper with a roller on it-a bit different than the one where you
just place your finger on top.
Now we all love the myth busters- but in the video you sent the link to - these
guys spent days recreating and getting the fingerprint fakes to work. Now as a
security specialist- You have to come up with the most secure solution and
recommendations- but I do think that fingerprint readers do have their place
and I think that execs could make good use of this and the risk may be less
that the very long passwords that they lose or end up locking their accounts
with.
No don't get me wrong- I still believe in strong and long passwords- but
educating the execs and regular users on how to create and manage these
passwords is something that is not done very well- and this is where the
problem lies- and the FP reader can assist with this- especially when execs or
anyone with long PW have to enter their PW several times in a user session- for
example- using MS Exchange RPC/HTTPS or OWA forms based where SSO is not setup
or between extranets and the such- a FP reader can be a most useful tool.
I just wish it was more secure myself- and my response may have been offbase-
but an FP is an ID is correct- but it can trigger the entry of a username/PW
combo and that is what I was intending to deliver in my response.
Omar
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jakob H. Heidelberg
Sent: Saturday, January 12, 2008 2:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Difficulty applying policies
Hi,
Executives typically have more permissions and rights than other users - access
to the most important company data - so what should you do with them? Require
them to use longer (complex) passwords than everybody else (except maybe the
admins who should have even longer passwords in most cases IMHO)!
I don't think that Granular Password Policies are that tough to handle or audit
- once it's setup it's actually pretty straight forward, but needs some thought
and "initial adjustment" (because of the group thing):
http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html
A new article is on the way describing how to implement this "the easy way"
(which could be free third party tools). But, you'll still need the WS2008
native mode as said before.
If you really want multiple password policies in a W2000/2003 domain - I can
recommend SpecOps Password Policy
(http://www.specopssoft.com/products/specopspasswordpolicy/).
Side note: A fingerprint is an ID, not a password. It's too easy to circumvent
a fingerprint these days (Myth Busters?
http://www.youtube.com/watch?v=LA4Xx5Noxyo) - I do like the idea of biometrics,
but most of those "solutions" should be in combination with a good old
password. And put a token on top of that... Well, maybe I'm just getting old
and grumpy;-)
Best regards
/Jakob H. Heidelberg
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: 12. januar 2008 02:40
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Difficulty applying policies
This is a major issue many companies face:
1st thing I would ask is:
Is your company bound by any regulatory compliance specifications? If so less
complex passwords may violate that.
2nd- your execs need to secure their data and less complex passwords put that
more at risk- but so does a very difficult password that they end up writing
down.
I would work with your execs and the exec assistants to understand how to meet
a strong password that is easy to remember- here are a few examples:
3Golfpro$ -- this has the length- the number, special characters and upper and
lower case.
As far as Fine-Grained password policies- it is very important to note that
this is only available when the domain is running in W2k8 native mode so all
w2k w2k3 domain controllers have to be removed before you can enable that- 2nd-
this is something that should be kept under wraps right now as it is hard to
audit and can be a pain to setup.
In the real world what I would recommend for your execs - new laptops with
fingerprint readers built in- this works great for their own PC- also- if a new
machine is not in the budget or they have a desktop or a 2nd machine at home-
the usb connected USB fingerprint readers work great.
And- for all you admins working with vista and user account control- finger
print readers are great as your user account can be your index finger and your
administrator account can be your middle finger- it works like a champ- if you
haven't tried it-pay the 40 bucks and get one to try it out.
My 2 cents hope it helps some,
omar
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of mike kline
Sent: Friday, January 11, 2008 4:58 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Difficulty applying policies
Password policies for domain accounts can't be set at the OU level. That
policy is set at the domain level so your domain level policy is still being
used.
There are some third party tools that may help you out if you want a different
policy.
Windows 2008 will allow you to use fine-grained passwords so Microsoft did
listen that we wanted this feature. More info on that here:
http://technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true
On Jan 11, 2008 7:37 PM, Paul Manley
<paul.manley@xxxxxxxxx<mailto:paul.manley@xxxxxxxxx>> wrote:
Simplified Scenario: Executives can't remember their difficult passwords. So
we are going to let them use smaller non-complex passwords.
Let us assume that this morning I setup Active Directory on a Windows 2003
server with SP1, but no other updates and created a few users.
I've installed the Group Policy Management snap-in and created a new Group
Policy Object ( under the Group Policy Objects folder of our domain ) called
"Exec Password Policy".
I've set the [Computer Configuration]->[Windows Settings]->[Security
Settings]->[Account Policies]->[Password Policies] to be less restrictive in
"Exec Password Policy".
I create a new Organizational Unit called "Executives" and place the users in
there.
Now I "Link an Existing GPO..." on my "Executives" OU selecting the "Executive
Password Policy".
I try to reset one of the Executives passwords, but I am not allowed:
"Windows cannot complete the password change for Fred Executive because: The
password does not meet the password policy requirements. Check the minimum
password length, password complexity and password history requirements."
Those are exactly what I have just turned off. Perhaps you could point out the
error of my configuration. I have setup a VM domain this morning to do testing.
- Paul -
Other related posts:
