[RossDoughty]

Hey all,

Currently the network I am administering has no password policy because the poeple who used to do it before, just never made one. Also, users can change their passwords at will to whatever they like :angry:, so I would like to put a policy in place and also some restrictions.

Having never written a policy before, could someone please give me some tips on what to include and where to start out?

Also, I would like to change the domain controller admin account password, as it is literally the company name, with numbers replacing the corresponding letters, however I am concerned about running services etc that may be using it.

I was initally considering 3 types of account "Staff" which would include a 5 long upper, lower and number password changed every 4 months. "Finances" which would be a 8 long upper, lower and number changed every 4 months and "Managers/Directors" with a 10 long number upper, lower and special chars changed every 4 months.

Any and all thoughts would be appreciated.

Thanks,

Ross Doughty

 

[Wand3r3r]

You don't mention what OS you are using for a server or if you are running active directory.

You don't need to write a policy. You just go to administrative tools and security policy and account policy to see the password retention/length/complexity etc

There should be no services running under the administrator account. You should review all of the services on the server first to confirm and if need be change accordingly.

Recommendation is make a admin service account with run as service right. Only use that account for any services and set its password to never expire.

Also recommend creating a backup admin account in case the day comes the primary account gets corrupt. Always nice to have a back door.

Document these and place them in a safe with restricted access in case something happens to you.

 

[Signify]

Ross a policy is never wrong if this is to deal with end users. I presume you use AD or NDS?

I would not make it that complicated. Use the same policy on all accounts. At least 10 characters, must at least contain one digit and upper and lower and special character. For info we use minimum 16 characters at my work but I think that was after one of the guys at in house IT had been to some seminar.....
What you could do is limit the password complexity on very low level accounts below "Staff" level.
Also prohibit re-use of the last 4 or more passwords or else users will just re-use the same password again and again.
It's a careful balance. To low security level and it's easy to crack. Too high and people tend to keep yellow sticker notes under the keyboard with the password on.....

As Wand3r3r say never use the admin/administrator account on a regular basis. Grant you and your staff at IT admin rights (members of administrators group in AD).
Set the "administrator" account password to something really complex, write it down and lock it in a fire safe. Change the administrator password every 6 months or so. Do NOT forget to document!

Never give admin passwords to consultants. Rather create a "consultant" account or one account per consultant with the rights they need to do their job. Lock the account when they are not there on a regular bases.
We consultants always take notes and then we usually forget to destroy notes like passwords when we leave the customer.
This is one reason I always recommend my clients to never use local accounts on networking equipment if they can use radius or tacacs for authentication instead.

If you can avoid it. Never force a specific password on a user. People tend to create password in individual ways. Personally I have a hard time to remember a simple 4 digit PIN unless I can choose it myself.

 

[RossDoughty]

Just want to start by saying thankyou to you both, your information is very useful.

To clear up some issues, I am using AD with a Windows 2008 Server.

You just go to administrative tools and security policy and account policy to see the password retention/length/complexity etc

I have done this, however I hard copy of the policy is required by my employer, so I do have to write one.

There should be no services running under the administrator account.

This is quite true and I totally agree, the company that actually set up this network before me is running everything from the one account on one server. It's quite annoying really. I personally would visualize for each service and do them separately.

Also recommend creating a backup admin account...

Done and done. Basically I made an account that I can use incase it does go down, seeing as though for the moment everything is running from the main one.

And in reply to Signify.

Never give admin passwords to consultants...

In response to this, I have made accounts for everyone who we deal with from other sources, for example if a printer engineer comes in as we still have on-site cover, they can now log into "Printers" and to a very restricted account, instead of the only other account, which would be the domain admin.

Lock the account when they are not there on a regular bases...

Upon looking into AD, I found that yes, we had accounts that were not locked when not used, as I will be doing with the above "Printer" account, then unlocking it as and when we need it, but also that over 15 accounts of people that had left the company were unlocked still from 2003! Makes me wonder what we were paying the other previous networking company to do.

Anyway, to summarize, thanks for your help, both of you. If anyone has any more to contribute, I would be glad to hear it.

Thanks,

Ross.