Password Policy effects on Admins
In Win NT and Win 2K, if password complexity was enforced, and admin could still by-pass that by setting a simpler password via User Manager or ADUC.
However, in Windows Server 2003, it appears that even an admin must comply to the policy when setting a new password. Is this in fact true? If so, is there a means to by-pass this and set simpler passwords for specific accounts?
Software/Hardware used:
Software/Hardware used:
ASKED:
April 5, 2005 10:15 AM
UPDATED:
April 7, 2005 11:59 AM
Answer Wiki:
1st answer is No, NOR should there be means to bypass security on the most important account of all. However, anything group policy can set, can be changed at the object level. Use the resultant set of policies tool (mmc plugin) and see where you can change one user without changing all.
Good luck.
To see all answers submitted to the Answer Wiki: View Answer History.
Password policies are Domain specific and apply to ALL users within that domain. If you want to make an easier password policy for your admins, then I suggest you use Pass Phrases and NOT shorten or make simpler the passwords to accounts that hold the “keys” to your network. However, if you’re really stuck on wanting simpler passwords, stand up another domain in your Forest, move all of your admins to that domain, and manage the original domain with accounts from your new domain (this is NOT the suggested alternative!).
The idea here is “security”. Shorter simpler passwords means you are more vulnerable. No, the complexity restriction cannot be by-passed and it shouldn’t be. If you can think up a shorter easier password, so can a brute-force hacker. Would you really want that to happen? Probably not.
And don’t forget what the auditors will have to say about it. Not only is security first and formost on our minds, but now there is the big ‘C’ Compliance
This gets to the heart of why most people that call themselves security aren’t. They are in fact an ethical embarrassment to the profession of Security officer. The thought that the law doesn?t apply to the sheriff is unconscionable and the true reason that Microsoft has never designed a good security system.
Administrative ID?s should be changed more often than regular users and should be held to higher password standards than regular users. Please don?t ever embarrass the title of Security with such questions ever again.
Peace
Keep the complexity but use it to create easier to remember passwords. As someone else said, use passphrases.
el2g2tm! is easy to remember when it translates into Everybody Loves 2 Go 2 The Movies! The auditors will love the “strong” password, it’s 8 characters and uses both numbers and specail characters. For the user, it’s easy to remember.
I just want to apologize for the tone of the first reply I sent. I feel very strongly that all administration ID’s and functions should be audited and secured in a way that it can be independently proven that those ID’s were not used in a crime. I take Security very seriously and sometimes it show.
Peace