To: wirestripper
I hope every Windows administrator is doing the following:
Set your password policy to 8 Chars, complexity enabled, password history 24.
Set your account policy to three attempts, lockout indef, duration 30 minutes.
Rename the administrator account to something else. Use restricted groups on Domain Admins, Enterprise Admins and Administrators.
Set audit policy to failure on account logon.
Set idle timeout to some minimum.
It's just like not leaving the keys in the ignition, locking the doors, rolling up the windows, moving all visable values into the trunk, and parking in a well-lit area if you don't want your car stolen.
To: Alas Babylon!
hehehe... nice policy, if you can get it. Like they say: this networking crap would be a lot of fun if it weren't for all these darn *users*.
One thought though: An indefinite lockout makes for the easiest DOS attack on the planet.
22 posted on
07/22/2003 9:40:30 PM PDT by
Ramius
To: Alas Babylon!; Ramius
For the truly paranoid, and/or those who have a fetish for truly fascist security schemes, the NSA published a series of guides about locking down Windows 2000 a few years ago. Although it's good to look through for tips about stuff that might have been missed, I recall leafing through it and thinking that only the truly masochistic would feel compelled to implement it all ;)
26 posted on
07/22/2003 9:45:49 PM PDT by
general_re
(The wheel is turning but the hamster is dead.)
To: Alas Babylon!
You forgot the one about setting up a "guest" account and naming it "administrator" to throw off would-be intruders.
30 posted on
07/22/2003 9:52:24 PM PDT by
Dimensio
(Sometimes I doubt your committment to Sparkle Motion!)
To: Alas Babylon!
I hope every Windows administrator is doing the following:...
Of these, only longer passwords help against either brute-force or storage/time tradeoff attacks. (You probably know that, but many readers might not.)
To: Alas Babylon!
The general rule on passwords is, don't use any word that's in an English dictionary, or a common name, since these are vulnerable to an attack consisting of just plugging in every word in Websters or the OED, programmatically. You might use a two-word phrase run together.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson