Planning Distributed Security |
Be sure to address these considerations and best practices when planning your authentication policies.
The simplest way to defend against brute force or dictionary password cracking tools is to establish and enforce long, complex passwords. Windows 2000 lets you set policy to govern the complexity, length, lifetime, and reusability of user passwords. A complex password has ten or more characters, including upper and lowercase, punctuation, and numerals. An example of a complex password is: "My,Birthday,Is,623".
Smart cards provide much stronger authentication than passwords, but they also involve extra overhead. Smart cards require configuration of the Microsoft Certificate Services, smart card reader devices, and the smart cards themselves. For more information about deploying smart cards, see "Smart Card Logon" later in this chapter and "Planning Your Public Key Infrastructure" in this book.
Note that third-party vendors offer a variety of security products to provide two-factor authentication, including "security tokens" and biometric accessories. These accessories use extensible features of the Windows 2000 graphical logon user interface to provide alternate methods of user authentication.
"Trust computer for delegation" is a very powerful capability. It is not enabled by default and requires Domain Administrator privileges to enable for specific computers or service accounts. Computers or accounts that are trusted for delegation need to be under restricted access to prevent introduction of Trojan horse programs that would misuse the capability of making network connections on behalf of users.
Some accounts might be too sensitive to permit delegation, even by a trusted server. You can set individual user accounts so that they cannot be delegated, even if the service is trusted for delegation. To use this feature, go to the Active Directory Users and Computers MMC snap-in and open the property sheet for the account. Look for the Account is sensitive and cannot be delegated check box on the Account tab of the property sheet.