One of the interesting new features in Windows Server 2008 is the addition of Fine-Grained Password Policies. Traditionally, password requirements for Windows Servers have been set at the domain level. So, in order to require tougher passwords for various levels of administrators, an organization would need to create an entirely new domain, often for just a handful of users. However, Microsoft has made a major focus on security with the release of Server 2008 and the result is Fine-Grained Password Policies.
The typical network environment requires three levels of password structure. The first level is the regular user. For this level, administrators must balance security with the burden it places on potentially non-technically savvy users. Minimum password lengths, required use of both alpha and numeric characters, and a maximum password age are all useful ways to increase security at this level.
The second level of security comes into play with users who have higher level access. These users may be administrators of particular file servers or services. Some programmers occasionally even require higher level access but are not assigned as administrators. Either way, these users should expect to be subject to a higher level of security because compromising their accounts could cause higher levels of damage to the systems. For this level, requiring frequent password changes, longer passwords, and preventing anything resembling a reused password are critical to overall enterprise security.
The third level of security is usually programmatic access. Certain programs or services require accounts to provide their functions to the enterprise. Often, these programs require access at a level similar to administrative access in certain areas of the network. Implementing tough security for these accounts involves generating long unrememberable passwords at setup. Such accounts should have usernames and passwords composed of letters, numbers, special characters and a length of twenty or more characters. Frequently changing these passwords is not only impractical, but often unnecessary.
In older Windows environments, implementing all three levels of security required setting domain-wide rules for the regular users, and then implementing changes manually to each and every account that fell into the other two categories. Such a design can lead to accidental oversights in the form of missing checkboxes, or worse, security being removed by other administrators who may not be "in the know", particularly in larger organizations. Even worse, some of these manual settings would be overwritten if changes were made to the domain wide policies.
Now, in Windows Server 2008, Fine-Grained Password Policies can be implemented to create these multiple levels of access without requiring individually set manual policies. Fine-Grained Policies can be set on both individual users and on global security groups. Although they cannot be set on OUs, creating a shadow group with the same membership allows for similar functionality. Now, an administrator can assign more frequent password changes to Account Operators while setting annual password changes for system program accounts.
The adsiedit.msc tool is included to help manage Fine-Grained Passwords, but isn't very polished. Over at
