RE: Windows 2000 password policy

Jim, I think I understand where you were going with your statement I just meant to say I don't really agree with the wording and I want to make sure it is understood how the mechanism works. :-)  

Andre, let me include a snip from the support article I included, and I have tested this:  

There is an exception to this rule. You can configure another account policy for an organizational unit. The account policy settings for the organizational unit affect the local policy on any computers contained within that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit named OU1, an administrator could create a Group Policy object for OU1, and specify an account policy that is different from that of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policy as defined by the Group Policy object for OU1 is used.  

Thanks,
-Chris

From: Andre Conde Caselli [mailto:ACaselli@aliancadobrasil.com.br] Sent: Tue 6/24/2003 8:03 AM
To: Jim Barrett; Chris Carlson (OTG); hong li; focus-ms@securityfocus.com Subject: RES: Windows 2000 password policy

Hi Chris,

        Password policy is a domain property and can be placed only at Default domain policy or in a new policy at Domain Level.

                Regards

André Conde Caselli
Tel. 0xx1138882598

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Mensagem original-----
De: Jim Barrett [mailto:jimb@ins.com]
Enviada em: terça-feira, 24 de junho de 2003 08:59 Para: 'Chris Carlson (OTG)'; 'hong li'; focus-ms@securityfocus.com Assunto: RE: Windows 2000 password policy

Okay, I stand corrected on that issue, but realistically I have never seen that sort of thing in the real world. One generally does not make a system part of the domain and then use local accounts to access it.

One of the first things that I look for on a security audit is local accounts on critical systems. Besides the required administrator account, the only local accounts on a machine should be service accounts required by an application running on that box that for some reason or other cannot use a domain based system account.

One could also make the argument that you need local accounts to work on the system should connectivity to the domain controller be severed due to a faulty WAN link. In that instance, since W2K machines cache local credentials, a user can still log onto a system with no connectivity to the domain provided that they have successfully logged on there before. Additionally, if access to the system is critical, then a local DC can provide the necessary fault tolerance.

Local accounts are much easier to compromise than domain accounts, thus my recommendation is to strictly limit them. As for the necessary administrator account, while password policies can be applied, generally, users will exempt the administrator account from regular password changes, and account lockout cannot be applied to the built-in administrator.

Jim Barrett, MCSE, CISSA, CISSP, CCNP
Principal Consultant
International Network Services
Boston, MA

-----Original Message-----
From: Chris Carlson (OTG) [mailto:ccarls@microsoft.com] Sent: Tuesday, June 24, 2003 2:23 AM
To: Jim Barrett; hong li; focus-ms@securityfocus.com Subject: RE: Windows 2000 password policy

>You will see the options for setting password policy in the OU GPO, but
>changes there will not affect anything.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I wouldn't necessarily say that, password policies at the OU level still apply to the local security accounts. http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

-Chris