Thursday, July 02, 2009

A bit technical, Microsoft Active Directory and password polices.

For years I worked in a large corporate environment where we have a large range of users. From the very basic who's task was only to enter data or scan documents, to a wide range of computer engineers. In the mix of these users was also a mix of people who has various rights to sensitive data, from payroll information to details of sales forecasting.

So you know that there's so much important information, how do you start securing the data? The first block is your password.

As simple as it sounds, many users don't take this very seriously. You can often find users keeping their passwords on a note on their desk, or even using a simple word for their password. While you can force all of the users with a strong password policy enforced by Group Policy, the problem is this will sometimes have a backwards effect.

Instead of the users making more complex passwords and remembering them, they might be more inclined to make a password to meet the requirements and then write this down on a note. An example of this is a password policy that requires 10 letters, special characters, users could use something simple such as JohnSmith123#, then change this as required to JohnSmith124#, etc.

So now you know the users have a problem with complex passwords, how do you get around this hurdle? There's ways where you can have upper management force password policies but the time and money spent on helping users with complex passwords might not be best for users who have no access or little risk to important data. Now you are considering two password policies on the domain.

With Windows 2003 Active Directory you are only available to apply a password policy to the Default Domain Policy that will take affect on all users in the domain. This is tough because you only want to limit the high risk users such as Administrator.

Introduced in Windows 2008 Active Directory you can now have "sub groups" called Password Settings Object (PSO) which can apply a password policy to a domain group instead of to the entire domain. This is great feature which many admins have battled with in their domain, trying to secure a group of powerful users.

It's a great feature and think this is a valid reason alone to upgrade to Windows 2008.

No comments: