9
Important:
This policy should be imported into any additional domains in the organization. However,
it is not uncommon to find environments where the root domain password policy is much stricter than
any of the other domains. Care should also be taken to ensure that any other domains that will use
this same policy have the same business requirements. Because the password policy can only be set
at the domain level, there may be business or legal requirements that segment some users into a
separate domain simply to enforce the use of a stricter password policy on that group.
Once the domain policy has been downloaded successfully to each of the servers, an event in the
Application Event Log should appear specifying its completion in the form of the following Event ID
number:
Type: Information
Source ID: SceCli
Event ID: 1704
Description: Security policy in the Group policy objects has been applied successfully.
For more information, see Help and Support Center at
<http://go.microsoft.com/fwlink/events.asp>
.
If the above message does not appear within a few minutes after applying the domain policy, rerun
the Gpupdate.exe command-line tool to apply the domain policy, and then restart the server to force
the domain policy download. By default, security settings are refreshed every 90 minutes on a
workstation or server and every 5 minutes on a domain controller.
For Windows 2000 Active Directory domains:
Administrators should use the
secedit.exe
/refreshpolicy”
command-line from the DOS prompt instead to force domain policy replication.
Group Policy security settings are applied at several different levels within the network organizational
hierarchy which have been broken down to the following three levels in the domain infrastructure:
•
Domain Level-
To address common security requirements, such as account and password policies
that must be enforced for all servers in the domain.
•
Baseline Level-
To address specific server security requirements that are common to all servers in the
domain infrastructure.
•
Role Specific Level-
To address security requirements for specific server roles. For example, the
security requirements for infrastructure servers differ from those for servers running HP NAS.
2.4
Domain Level: Hardening the Domain Infrastructure Password
Policy
The easiest and most important task in securing one’s network environment at the domain level is by
implementing policies that force users to create complex passwords and requires them to change their
passwords on a regular basis. Administrators should apply the following password guidelines:
•
Avoid using words from a dictionary, common or clever misspellings of words, and foreign
words.
•
Avoid using incrementing passwords with a digit.
•
Avoid preceding or appending passwords with a number.
•
Avoid using passwords that others can easily guess.
•
Avoid using words from popular culture.
•
Avoid thinking of passwords as just full words.