Password Policy



Eric K
07-09-2005, 11:53 PM
Hello,
I have been trying to find Microsoft's recommendation on password policy's,
but no luck.
Also, if I set a password policy that forces users to change the password,
what about services (exchange, veritas, ....)? If I select password never
expires for the services, will they be exempt form that policy?

Steven L Umbach
07-09-2005, 11:53 PM
Any account that is configured to change password at next logon will have to
change their password. Password never expires means that the account will
not be subject to password policy maximum password age. The link below to
the Threats and Countermeasures Guide will give advice on password policy in
chapter 2. MS recommends that password complexity be enabled, that minimum
password length be eight characters, that maximum age be between 30 and 60
days [default is usually 42 days], and has other recommendations for minimum
password age, etc.. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

"Eric K" <EricK@discussions.microsoft.com> wrote in message
news:B044AA09-E9E4-437A-A840-8DCA78345D87@microsoft.com...
> Hello,
> I have been trying to find Microsoft's recommendation on password
> policy's,
> but no luck.
> Also, if I set a password policy that forces users to change the password,
> what about services (exchange, veritas, ....)? If I select password never
> expires for the services, will they be exempt form that policy?

Eric K
07-09-2005, 11:53 PM
Thank you Steve! But will the services be effected by this passowrd policy?

Eric

"Steven L Umbach" wrote:

> Any account that is configured to change password at next logon will have to
> change their password. Password never expires means that the account will
> not be subject to password policy maximum password age. The link below to
> the Threats and Countermeasures Guide will give advice on password policy in
> chapter 2. MS recommends that password complexity be enabled, that minimum
> password length be eight characters, that maximum age be between 30 and 60
> days [default is usually 42 days], and has other recommendations for minimum
> password age, etc.. --- Steve
>
> http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
>
> "Eric K" <EricK@discussions.microsoft.com> wrote in message
> news:B044AA09-E9E4-437A-A840-8DCA78345D87@microsoft.com...
> > Hello,
> > I have been trying to find Microsoft's recommendation on password
> > policy's,
> > but no luck.
> > Also, if I set a password policy that forces users to change the password,
> > what about services (exchange, veritas, ....)? If I select password never
> > expires for the services, will they be exempt form that policy?
>
>
>

Karl Levinson, mvp
07-09-2005, 11:53 PM
Yes and no... password policy affects every account in the domain / forest /
server / workstation on which the policy is applied. Any service that is
configured to use an account other than LocalSystem in the relevant security
domain would be affected. Often, such service accounts are configured to
never expire, but complexity rules will apply. For further details, search
for and download the Windows Security Guide for the relevant version of
Windows... try looking at www.microsoft.com/technet/security first.

There are alternatives... I believe some people now recommend that
complexity not necessarily be turned on, but instead you make the password
minimum 12 or more characters [e.g. a pass phrase instead of a pass word].
Specifics for password expiry and other details can vary depending on server
role, as described in the guide.


"Eric K" <EricK@discussions.microsoft.com> wrote in message
news:E6B2B84F-353E-460B-AAD2-02078F41758C@microsoft.com...
> Thank you Steve! But will the services be effected by this passowrd
policy?
>
> Eric
>
> "Steven L Umbach" wrote:
>
> > Any account that is configured to change password at next logon will
have to
> > change their password. Password never expires means that the account
will
> > not be subject to password policy maximum password age. The link below
to
> > the Threats and Countermeasures Guide will give advice on password
policy in
> > chapter 2. MS recommends that password complexity be enabled, that
minimum
> > password length be eight characters, that maximum age be between 30 and
60
> > days [default is usually 42 days], and has other recommendations for
minimum
> > password age, etc.. --- Steve
> >
> >
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
> >
> > "Eric K" <EricK@discussions.microsoft.com> wrote in message
> > news:B044AA09-E9E4-437A-A840-8DCA78345D87@microsoft.com...
> > > Hello,
> > > I have been trying to find Microsoft's recommendation on password
> > > policy's,
> > > but no luck.
> > > Also, if I set a password policy that forces users to change the
password,
> > > what about services (exchange, veritas, ....)? If I select password
never
> > > expires for the services, will they be exempt form that policy?
> >
> >
> >

Steven L Umbach
07-09-2005, 11:53 PM
Only if you have configured services to use a user account that you have
created for such purpose. In that case be sure to NOT configure that user
account with "user must change password at next logon" and that it is
configured for "password will not expire" if you do not want those accounts
to be subject to maximum password age. Services that use local system and
such will not be affected by change in password policy. --- Steve


"Eric K" <EricK@discussions.microsoft.com> wrote in message
news:E6B2B84F-353E-460B-AAD2-02078F41758C@microsoft.com...
> Thank you Steve! But will the services be effected by this passowrd
> policy?
>
> Eric
>
> "Steven L Umbach" wrote:
>
>> Any account that is configured to change password at next logon will have
>> to
>> change their password. Password never expires means that the account will
>> not be subject to password policy maximum password age. The link below to
>> the Threats and Countermeasures Guide will give advice on password policy
>> in
>> chapter 2. MS recommends that password complexity be enabled, that
>> minimum
>> password length be eight characters, that maximum age be between 30 and
>> 60
>> days [default is usually 42 days], and has other recommendations for
>> minimum
>> password age, etc.. --- Steve
>>
>> http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
>>
>> "Eric K" <EricK@discussions.microsoft.com> wrote in message
>> news:B044AA09-E9E4-437A-A840-8DCA78345D87@microsoft.com...
>> > Hello,
>> > I have been trying to find Microsoft's recommendation on password
>> > policy's,
>> > but no luck.
>> > Also, if I set a password policy that forces users to change the
>> > password,
>> > what about services (exchange, veritas, ....)? If I select password
>> > never
>> > expires for the services, will they be exempt form that policy?
>>
>>
>>


Password Policy