Harden Your Windows Network with Strong Passwords - Page 2

Continued From Page 1

Limitations of the Password Policy
Before concluding our discussion of the Password Policy, it is worth pointing out one major consideration. Both the Password Policy, and the Account Lockout Policy that we will discuss in Part Two of this series, are set on a domain-wide level. If you have numerous departments with differing policy needs, this represents a problem. For example, a research department with very high security needs and a customer service department with only moderate security needs will end up with the same security settings if they are in the same domain. Of course, you could create multiple domains, and then divide the departments up among the domains according to their security requirements, but that is a major design decision, and one that might not be practical if your Active Directory infrastructure is already in place.

With this in mind, perhaps the best way to use the policies is simply to configure the policies at the highest security level required within the entire domain. Departments with lower security needs simply end up being more secure than necessary, but there is nothing wrong with that.

Next Week…
In part two of this article, we'll look at how you can configure the Account Lockout Policy to increase the authentication security of your systems even further. We'll also look at what non-computer based policies you should have in place to govern password use. Until then!

Drew Bird has been working in the IT industry since 1988. He has a wide range of experience gained from many years of designing, managing, implementing, and supporting networked environments. Drew now divides his time between consulting work and writing and delivering technical training courses. He also writes a regular feature here on Enterprise Networking Planet, and authors technical books.