Password Policy and Terminal Server

[pinkpanther56]

We will soon be having a TS box (possibly with Citrix) on our network to allow certain staff to access information from home. We would like to have a strong password policy for these users is there any way to enforce this for just these TS users?

We use a 2003 Domain at the moment that already has a password policy that we don't want to increase for typical users.

Any ideas?

Thanks.

 

[pgaliardo]

You can create a new group in AD for TS users. Then you can create a new GPO with the password policy you want. Apply this policy to the TS Users group.

 

[Roadki11]

You can only have one password policy in a domain and it must be specified in the domain gpo. So one policy and it affects everyone, not just your TS users.

In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain.

Windows Server 2008 allows for multiple password policies.

http://technet2.microsoft.com/windo...5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[pgaliardo]

Thanks for the clarification Roadki11. Forgot about that. Sorry for the misinformation PinkPanther.

 

[pgaliardo]

Just found this:

http://technet.microsoft.com/en-us/magazine/cc137749.aspx

So, it looks like this will be possible in Windows 2008. But for now, looks like it is not possible.

 

[pinkpanther56]

Hi all

Yes you can have only one password policy in a 2k3 domain, i have read that you can have more than one on a 2008 domain but we won't have a 2008 domain for a while (the TS will be a 2008 member server.

I was hoping that the TS gateway might have a way of forcing password length seperatly (for external connections) e.g if you try to login with a password that doesn't meet the required length it refuses the connection.

Cheers anyway.

 

[TNGPicard]

> I was hoping that the TS gateway might
> have a way of forcing password length seperatly

I've not played with SSL Gateways, RRAS, ISA or anything to much but would it be possible to deploy a gateway server in the mix to pre-authenticate the user and have a separate security policy applied at the gateway level? If the password doesn't meet XYZ requirement then they can't access remotely?


At my company, the people who can work from home must authenticate through a VPN before they can hit our Terminal Server. I don't have my VPN system tied to AD at all (I've thought about it but really like the extra password layer). Since I don't have anything tied together on my VPN to AD I have a different password requirement which works for my organizational policies. If you want to have one un/pw I'm wondering if you could integrate something similar to AD but have it check the complexity of the entered password to see if it meets remote access requirements.

Just a thought, no idea the tech behind it since I've never had to explore it that way.

Mark / TNG

 

[pinkpanther56]

@ TNGPicard, yes that's the sort of solution that i was looking for. So your VPN solution has a seperate policy and user account management with an enforcable password policy?

Do they need some sort of VPN client software on their home computer?

Cheers.