Re: Protect user accounts

From: Chriss3 (noSpamHere_at_chrisse.se)
Date: 05/30/04

Next message: Chriss3: "Re: Roaming Profiles"
Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: NEW FREE APP! NTBACKUP Print Log"
In reply to: timpuri: "Protect user accounts"
Next in thread: Richard Mueller [MVP]: "Re: Protect user accounts"
Messages sorted by: [ date ] [ thread ]

Date: Sun, 30 May 2004 02:49:29 +0200

Enable strong passwords in the password policy, set minimum password age
this helps to protect in that way if some one take over an account the
'hacker' can't change the password. Use GPOs and Deny Logon Locally for
users in OU1 to computers in OU2 and the other way around. Enable Audit and
tack all logon/logoff events. Do not cache credentials. If you want to
become really secure use smart cards!

-- 
Regards
Christoffer Andersson
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"timpuri" <anonymous@discussions.microsoft.com> skrev i meddelandet
news:14dc501c445a8$ea069a20$a301280a@phx.gbl...
> Hi
>
> In a singe-domain, single - forest impementation. How am I
> able to protect useraccounts from hacking. For example: I
> have a ou1 with users. I have another ou2 with users. I
> have a security policy that locks user account after 5
> failed logon attemps. Now if users in ou2 somehow would
> get to know (or guess) another username from ou1 and they
> wanted to do harm, they intentionally make five failed
> logons as a user in ou1 and the account is locked.
> I know
> - we can define the computers netbios name, where user
> only can logon
> - we can make gpos "log on locally"
> - we can make restricted group policy
>
> But still. If you are in the same domain and you know the
> username, you can try to logon and DCs' do as if defined
> in the domain policy.
>
> Thanks
>
> Timo

Next message: Chriss3: "Re: Roaming Profiles"
Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: NEW FREE APP! NTBACKUP Print Log"
In reply to: timpuri: "Protect user accounts"
Next in thread: Richard Mueller [MVP]: "Re: Protect user accounts"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Stop Certain user accounts logging onto pc??
... just put that account into the "Deny Logon ... Locally" list and enable that policy. ...
(microsoft.public.windowsxp.security_admin)
RE: Limit number of Logon attempts
... I understand that you want to adjust the logon attempts through Group ... we have an Account Lockout policy ...
(microsoft.public.windows.server.sbs)
Re: you do not have permission to log on locally
... I am having the same problem, I can't logon with the local machine account ... I am unable to remove the administrators account from the "deny local log ". ... the efffective policy setting still remains. ... > Use domain policy to override whatever security settings are causing ...
(microsoft.public.win2000.security)
Re: Cant login with new user account
... Are you trying to logon to a DC? ... there's a policy there that denies access to logon interactively ... I've created a new account in Active ... > - Group Policy Creator Owners ...
(microsoft.public.windows.server.active_directory)
Protect user accounts
... have a ou1 with users. ... have a security policy that locks user account after 5 ... failed logon attemps. ... in the domain policy. ...
(microsoft.public.windows.server.active_directory)