Windows NT has the usual round-up of account security features. Your account holds the groups of which you are a member. Groups on Windows NT are largely shorthand�s for lists of users. The system could provide the same security without them, it�s just that you would do a lot more typing. However, as a shorthand they are a powerful way of simplifying access to objects, and as such bear careful planning and control. There are a number of common-sense password controls imposed in a computer�s "account policy," which applies to all accounts stored on the computer. You can set minimal length of passwords, when they expire, whether user�s can change their password after they expire, and whether or not a user can use one of their last X passwords for a new one, where X is up to 24. You can also make users live with a new password for several days which discourages them from cycling through new passwords to get to an old favorite. The most important password policy is the "locking" policy. When a bogus password is presented a specified number of times in a row within a specified time period, its account locks and cannot be logged onto. Accounts can unlock after a period of time, or administrators can designate that only they can unlock an account. The locking parameters and the complexity of an account�s password (like its length and the kinds of characters from which it�s drawn) together determine the probability that it can be guessed. For example, a locking period of 6 tries in ? hour with a ? hour healing time means a penetrator can guess a maximum of 5 times per hour, or 120 times a day. Couple this with a password complexity of, say, 6 characters randomly drawn from lower-case alphabetics means the chances of someone guessing the password at this maximum rate for 1 month is about 1/100,000. This is the number you should care about. Raw password size is itself no measure of security. Note that locking protection also applies to secondary logons. A remote user can lock your domain account by attempting to remotely access any computer on which that account is visible, preventing you from logging on anywhere. No security comes without a cost. Being an administrator means seeking the appropriate balance. One exception to locking is that the local Administrator account never locks. Give it a nice, long, random password that you write down and lock up. Use this account only for "emergency" situations. Use instead other administrative accounts (which do lock) in day-to-day operations. Common advice worth continually repeating. The Windows NT 4.0 Resource Kit contains a utility that also locks the Administrator account except for local logons on domain controllers. A great idea but not really necessary if this account has a nice, long, random password
|
|
|
|
|
|
|
|