Options For Managing The Need For Multiple Policies

By Author: amandda
Total Articles: 60
Comment this article

You can have only one password policy per domain. Many times you need more. Within any organizations there are areas of MCTS Certificationsensitivity that require more security than others. The users who access data in these areas should use stronger passwords than most other users. There are also accounts that hold more privileged access rights: administrator accounts, privileged accounts, and accounts with delegated permissions. These privileged accounts should use stronger passwords too. Your work in discovering the organization's culture and the nature of its business might have brought these needs to your attention. Unfortunately, there is no technical control that will allow you to create separate password policies for individual accounts or groups within a domain or to vary the policy by OU. You cannot, for example, use the password policy to require administrators to use 15-character passwords without requiring everyone in the domain to do so as well. You can choose one of the following two options for managing the need for multiple password policies:

Create multiple domains. ...
... Within each domain, a separate password policy can be created. This should have been considered when the Active Directory structure was being defined. If it has been, create the appropriate policy for each domain.

Extend the password policy beyond its technical controls and require users who should be using a strong password, changing it more frequently, or guarding it more strongly to do so. This option must either be enforced by a third-party product, custom-developed code, or audit. Third-party products might include moving away from the use of passwords as Windows Vista examauthentication credentials.

Consider using correct auditing techniques or ways to review the information.
Q Using correct techniques can counter the negative effects of massive logs. When events are filtered according to their importance, critical events are easily discernible.
Q In addition, while reviewing large amounts of ordinary activity is often fruit-less, examining the trends shown in the collected information can be valuable. If knowledge of what is ordinary exists, the abnormal can trigger further investigation. What, for example, is the meaning of a sudden large increase in revocation? Or in certificate request denial? These trends are not observable via simple viewing of the CA console.
Write a security log review process. Collection of records is an exercise in futility if records are not reviewed.
Before CA-specific auditing events will be recorded, object auditing must be turned on in the Audit Policy portion of Group Policy. Consider where this should be done. The offline root CA will require object auditing to be turned on to capture local information. The other CAs should be placed in a designated OU so that the entire security baseline for CAs can be easily applied. A GPO can be linked to this OU, and the GPO's audit policy can be set to audit object access for success and failure.
See Also Careful consideration of the meaning of events will enable the development of the best audit design for each CA implementation. For more information about designing free CompTIA exam questionsaudits in general, see Chapter 9.