[Alas Babylon!]

I hope every Windows administrator is doing the following:

Set your password policy to 8 Chars, complexity enabled, password history 24.
Set your account policy to three attempts, lockout indef, duration 30 minutes.
Rename the administrator account to something else. Use restricted groups on Domain Admins, Enterprise Admins and Administrators.
Set audit policy to failure on account logon.
Set idle timeout to some minimum.

It's just like not leaving the keys in the ignition, locking the doors, rolling up the windows, moving all visable values into the trunk, and parking in a well-lit area if you don't want your car stolen.

[Ramius]

hehehe... nice policy, if you can get it. Like they say: this networking crap would be a lot of fun if it weren't for all these darn *users*.

One thought though: An indefinite lockout makes for the easiest DOS attack on the planet.

[general_re]

For the truly paranoid, and/or those who have a fetish for truly fascist security schemes, the NSA published a series of guides about locking down Windows 2000 a few years ago. Although it's good to look through for tips about stuff that might have been missed, I recall leafing through it and thinking that only the truly masochistic would feel compelled to implement it all ;)

[Dimensio]

You forgot the one about setting up a "guest" account and naming it "administrator" to throw off would-be intruders.

[Russian Sage]

I hope every Windows administrator is doing the following:...

Of these, only longer passwords help against either brute-force or storage/time tradeoff attacks. (You probably know that, but many readers might not.)

[BlazingArizona]

The general rule on passwords is, don't use any word that's in an English dictionary, or a common name, since these are vulnerable to an attack consisting of just plugging in every word in Websters or the OED, programmatically. You might use a two-word phrase run together.