Home Articles SBS Show Vladfire About Links Contact Wiki RSS2 Feed

AJAXify your Wordpress

Learn how I ajaxified my wordpress blog with these few steps...

SBS Show!

Listen to the latest episode of the SBS Show, Dave Sobel talks about process management...

Vladville Newsletter!

Looking for a more focused, exclusive insight into the world of SMB tech & business? Sign up for my newsletter!

« 1…. | What is going on with the market? »

Windows Server 2008 & Domain Security Policy
Posted: 12:02 am October 9th, 2008	Post a comment Microsoft, Security

Some of the new software we are building at Own Web Now manages it’s own password complexity, sometimes much to the chagrin of the default policies built into Windows Server 2008. You’ve heard about Security By Obscurity, so get ready for the new model: Security by presenting GPOs where you would expect to see them, just disabled and uneditable, forcing you to go modify them in a completely different place – Security By Ambiguity. Where does one modify the local security policy in Windows Server 2008?

Local Security Policy used to be managed through Administrative Tools >Local Security Policy. Things like minimum and maximum password age, minimum length, complexity and so on were tweakable under that console. In Windows Server 2008, those screens are still there but you have no way to edit them:

So, how does one disable all this stuff in Windows Server 2008 because the external application is intended to manage it (and you presumably do not want your policies to break because they override some of Microsoft’s?):

Start > Run > gpmc.msc

This is the Group Policy Management Editor, nifty tool that used to be optional with Windows Server 2003 and XP (free download) is now the way to manage your security policies.

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies

Warning: The security policy outlined above is pretty much suicidal if you don’t enforce password policies through a different tool. Here is a brief description of the Microsoft password policy requirements.

So why did we disable it? Because we wrote our own software to manage the policies, which has the same complexity as Microsoft’s recommendations, but we found that Microsoft will at times even deem it’s own default password policy not to be strong enough, introducing inconsistencies that we were not willing to risk support expenses to narrow down.

Another bad security lesson brought to you by Vladville.

Both comments and pings are currently closed.

3 Comments

topwebbusinesses » Blog Archive » Windows Server 2008 & Domain Security Policy | October 9th, 2008 at 12:38 am

[...] Original vlad [...]

Dan McCoy | October 10th, 2008 at 4:02 am

hehe. Is THAT why I couldn’t have a password complex enough despite it have every character in the book and 18 characters long in Live Archive? LOL

Brian | June 3rd, 2010 at 11:49 am

I have a windows server 2008 domain and some of my users cannot access their cd-roms and usb devices on their pc’s.

You get a “F:is not accessible access is denied” each time you try to access a cd of usb device.
i tried checking my group policy setting but nothing so far

Whats on Vlad's Mind?

Get The Newsletter

Twitter

IE falls to Chrome as the most popular browser. Will Microsoft treat partners better now as a result of it? http://t.co/J25QbURn 19 hrs ago
Night of racism and sexist jokes with my wifey.. Lisa Lampanelli followed by The Dictator. Date night! http://t.co/SR5Nch0G 3 days ago
ExchangeDefender "triple" launch.. inviting all active ExchangeDefender partners to join us.. https://t.co/8TSqMZnJ 3 days ago
More updates...

Vladfire Vlog

Episode 27
Henry Craven

Runtime: 9:03
Windows Media (45 Mb)
Quicktime (47 Mb)

SBS Show Podcast

SBS Show is a free weekly podcast (Internet for recorded radio show) focusing on small business and technology. More at sbsshow.com but check out our latest episode:

SBS Show #26
Erick Simpson
Managed Services Part 2

Divider

Listen to older shows..

Categories		Archives		About
Apple, Awesome, Beta, Blogroll, Boss, Cloud, Deals, E12, Events, Exchange, ExchangeDefender, Friends, Gadgets, Gators, Gaypile, Google, GTD, Humor, iPhone, IT Business, IT Culture, Legal, Linux, Microsoft, Misc, Mobility, Open Source, OS, OwnWebNow, Pimpin, Podcast, Programming, Rant, SBS Show, Security, Shockey Monkey, SMB, System Admin, Thieving Weasel, Uncategorized, Vista, Vladcast, Vladfire, Vladville, Web 2.0, Windows Home Server, WordPress, Work Ethic, Wrong		May 2012, April 2012, March 2012, February 2012, January 2012, December 2011, November 2011, October 2011, September 2011, August 2011, July 2011, June 2011, May 2011, April 2011, March 2011, February 2011, January 2011, December 2010, November 2010, October 2010, September 2010, August 2010, July 2010, June 2010, May 2010, April 2010, March 2010, February 2010, January 2010, December 2009, November 2009, October 2009, September 2009, August 2009, July 2009, June 2009, May 2009, April 2009, March 2009, February 2009, January 2009, December 2008, November 2008, October 2008, September 2008, August 2008, July 2008, June 2008, May 2008, April 2008, March 2008, February 2008, January 2008, December 2007, November 2007, October 2007, September 2007, August 2007, July 2007, June 2007, May 2007, April 2007, March 2007, February 2007, January 2007, December 2006, November 2006, October 2006, September 2006, August 2006, July 2006, June 2006, May 2006, April 2006, March 2006, February 2006, January 2006, December 2005, November 2005, October 2005, September 2005, August 2005, July 2005,		Vlad says: Thanks for checking out my blog. You've officially reached the end of the Internet so take in what you've read and don't look at it as gospel but an invitation to start thinking for yourself.