Harden Your Windows Network with Strong Passwords - Page 2
Limitations of the Password Policy
Before
concluding our discussion of the Password Policy, it is worth pointing
out one major consideration. Both the Password Policy, and the Account
Lockout Policy that we will discuss in Part Two of this series, are set
on a domain-wide level. If you have numerous departments with differing
policy needs, this represents a problem. For example, a research
department with very high security needs and a customer service
department with only moderate security needs will end up with the same
security settings if they are in the same domain. Of course, you could
create multiple domains, and then divide the departments up among the
domains according to their security requirements, but that is a major
design decision, and one that might not be practical if your Active
Directory infrastructure is already in place.
With this in mind, perhaps the best way to use the policies is simply to configure the policies at the highest security level required within the entire domain. Departments with lower security needs simply end up being more secure than necessary, but there is nothing wrong with that.
Next Week…
In part two of this
article, we'll look at how you can configure the Account Lockout Policy
to increase the authentication security of your systems even further.
We'll also look at what non-computer based policies you should have in
place to govern password use. Until then!
Drew Bird has been working in the IT industry since 1988. He has a wide range of experience gained from many years of designing, managing, implementing, and supporting networked environments. Drew now divides his time between consulting work and writing and delivering technical training courses. He also writes a regular feature here on Enterprise Networking Planet, and authors technical books.
