I think that depends on your environment. MS recommends you change it to 20 attempts. Some best practices: http://www.microsoft.com/en-us/download/details.aspx?id=16755
I haven't used 2012 yet. I assume the best practice scanner is still there. That will get some of the easier stuff. You'll probably want to disable non-ssl ldap look ups, but some products need it... http://technet.microsoft.com/en-us/library/dd941829%28v=ws.10%29.aspx On Wed, Feb 20, 2013 at 8:01 PM, Edward Ned Harvey (lopser) <[email protected]> wrote: > Nobody? > Does everyone just use the default security settings out of the box with AD? > > By just looking it over at a glance, the first obvious deficiency I see is > that by default, there is no lockout policy... Which leads me to believe, > it's not a "best practice" to simply leave the default policy the way it is > out of the box... > > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Edward Ned Harvey (lopser) >> Sent: Tuesday, February 19, 2013 1:05 PM >> To: LOPSA Technical Discussions >> Subject: Re: [lopsa-tech] AD / GPO / security templates >> >> One of the things that *seems* like it should be obvious, is the security >> templates via MMC snap-in. Back in Windows 2003, the "Security >> Configuration and Analysis" and "Security Templates" mmc snap-ins included >> things like the default security policy out of the box, and the securedc >> policy >> ... but these seem to be missing on 2012... I'm still googling, but haven't >> found it yet. >> -- Steven Kurylo _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
