Locked Down Password Policy

Similar Messages

• I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

  I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

  Well, try this (I was able to fix my with these steps):
  Go Utilities > Disk Utility
  Select your Startup Disk, e.g. Macintosh HD
  Then, under the First Aid Tab, click Verify Disk Permissions.
  If there are errors, then click repair Disk Permissions.
  After it is done, restart the computer and see if your problem is resolved.
  I hope this help.
  Zeke
  www.ZekeYuen.com/blog/

• Can we lock down user admin functionality to allow password changes only?

  Hi,
  Is it possible to lock down the user admin functionality so a specific role can only change passwords?
  We have a large user base of >10K infrequent users that are forced to change their passwords every 30 days. We suspect a lot will require password changes and we are keen to not have the tech team spending most of their time dealing with such requests. We would like to pass this task onto data management but not allow them the system administrator functionality.
  We know we can create a responsibility with a limited menu available so the operator can see only the security/user/define menu. But this will still allow the person to add responsibilities to existing user accounts and create new user accounts, both of which are deemed unacceptable security risks. Is it possible to lock down the form as well as the menu? Allowing operators to only change the password of existing users? Or can we use the custom.pll to error when a user tries to do anything except edit the password field when in this role?
  Thanks
  Matt

  You should be able to do that. You would create a new privilege level (ie 7), assign all commands to that level except (this is my guess) the command vpn-sessiondb, you would put that at a lower privilege level (ie 6). Here's a write-up that may help getting you in the right direction.
  http://www.packetpros.com/2012/08/read-only-asdm.html

• Password Policy User not locked

  After 3 wrong password attempts. User account are not locked out.
  - Password policy is enabled
  - validate_password plugin include obReadPasswdMode="LDAP", obWritePasswdMode="LDAP"
  - Password Policy Cache is flush.
  Anything else i should look into?
  thankx

  You may want to check the password policy filter to ensure your user is being picked up by the policy.
  is the oblogintrycount attribute being incremented?

• Would like to know how to Completely Lock-down Windows 7 OS

  I don't have a general question..
  It's more like specifics about how to lock down windows 7 computers..
  Here's a little background information...
  I have two computers, both with win 7(Pro, and home prem).
  A family member can somehow bypass all bios and all windows security services... Everytime I go to work or school, he will power on my desktop and somehow 'hack' into the OS and install keyloggers or viruses so he can obtain my banking or other personal information.
  He also unlocks and deletes all the passwords so he can have access whenever he wants..
  Can someone please tell me how to do a complete lockdown? This is getting extremely annoying.. I've done everything that I can do; Also considering on switching my major to some sort of computer security. I'm starting to lose my mind over these months.. All
  help is appreciated.
  I've password protected BIOS
  I've disabled administrator accounts, i've put password on the admin and the guest user; locked the option to change passwords..
  All help is appreciated. Thank you all in advance.

  Hi,
  If you are using Windows 7 Professional, Ultimate, or Enterprise, you can use the Local Group Policy Editor to change policies that affect the security of your computer. Please check if the following policies meet you requirements.
  [User Configuration\Administrative Templates\Windows Components\Windows Explorer]
  Enable these two polices:
  Prevent access to drives from My Computer
  Hide these specified drives in My Computer
  For your reference:
  Lock Down PCs with Windows 7:
  http://technet.microsoft.com/en-us/windows/gg983426.aspx
  Also, restrict Which Programs a User Can Run. You can set rules in AppLocker in the Group Policy Editor that prevents all programs from being run.
  In addition, temporarily Lock Your Computer if Someone Tries to Guess Your Password
  If you share your computer with other family members or allow your friends to use it, you should have a password on your Windows account so no one else can log into it. However, someone may try to guess your password and log into your account. If this happens,
  you can temporarily lock your computer.
  You should also periodically change your password.
  If you suspect, you family member using a tool to bypass your password. You may use Malicious Software Removal Tool (http://www.microsoft.com/security/pc-security/malware-removal.aspx)
  to remove it.
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• New Stupid Password Policy

  Dear Lisa Smith,
  Nothing personal but your new password policy is the dumbest thing I have ever seen in my 20 years in the IT world. I am a Sr IT security officer and I am deeply worried about your security practice. 
  I could create a 100 character password and it would still be hacked if you can't lock down your password db. 8 Characters will do if you have a lock out in place after three attempts...  Other wise I can change my password daily and they will laugh as they watch me change it. 

  Hello and welcome to the forum jimwill47,
  I'm very sorry to hear you are frustrated with our new password system. The change was made in an effort to increase security on all BestBuy.com accounts. I sincerely apologize if this change has caused you worry instead. 
  I appreciate you taking the time to post your feedback, and I assure you I will be documenting your concerns to forward them to our internal leadership team. A password lock out does seem like a good idea, and it is through this kind of feedback from our customers that we are able to focus on the areas that might have an opportunity for improvement. 
  Once again, I am very sorry for any frustration this may have caused, and thank you again for posting your feedback here on the forum. 
  Respectfully, 
  Maria|Social Media Specialist | Best Buy® Corporate
   Private Message

• How do you apply the same password policy to every PDF document you create with inDesign?

  All,
  Adobe peeps!,
  I don't know if this is really supported with inDesign 5.5, but here is my my use case:
  I constantly create more than 10 PDFs a day using inDesign
  On  all PDF's I create, i want to apply password security to protect them
  But in order to do so, within inDesign, I am   always forced to go to the "security dialogue" pane to set up the same permission  and passwords over and over again
  This gets tiring :/
  So what I am hoping to do is  the following:
  Like acrobat, I want to create a password policy within inDesign
  I want all PDFs created to have such a password policy  be automatically applied
  I know acrobat supports something like this (http://help.adobe.com/en_US/acrobat/pro/using/WS58a04a822e3e50102bd615109794195ff-7d68.w.h tml), but, unless I may have missed something, the Acrobat feature is limited. That is, the help link  does not tell me how to automatically do this with Acrobat either (the link does not explain to me how to "automatically apply the same password security policy to every PDF document I save within the application). I think the only way to do so is via "Adobe LiveCycle Rights Management ES", but for non server users, I am hoping there is another way.
  So my questions are:
  Is it possible to create password security policies in inDesign?
  Is it possible to apply the same password security policy to every PDF i create in inDesign?
  If not, can I change default settings within Acrobat ProX to automatically apply a password security policy everytime I save a PDF?
  If all fails, do you guys know of any extensions that can support this?
  Any help would be great. Thanks!

  Steve,
  Thanks for your notes. To follow up on your response.
  Bummer. I kinda had a hunch at this inDesign limitation.
  I have been aware of the method for setting up of a security policy within Acrobat. While this feature does cut down some of the work involved in creating and applying password policies to pdfs, what I am looking for with Acrobat is to apply the same password policy to every document I save from the app. Automatically. Without having to manualy select a policy.
  I think my solution will have to lie in me creating some sort of script to help support this need. I don't think Acrobat Pro X has the capabilities to allow me to tinker with, say, creating a save PDF preset that will allow me to automatically apply a password policy.
  PS. I am using acrobat pro x.

• What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

  What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

  You want to allow someone to open your document and fill out the form (in the fields you have created), but not change or edit the form, right? Here's the answer - assuming you are using Acrobat Pro and someone will be opening the PDF using at least Acrobat Reader 9 and up:
  Tools > Protection > Encrypt < Encrypt with Password
  Answer YES to change the security.
  A new window opens:
       Do NOT select Document Open (or that will require a password to open the document.)
       Select: Permissions (Check the box next to "Restrict editing and printing of the document.")
       Change the following 2 settings from the drop-down box:
            Printing Allowed: Select High Resolution
            Changes Allowed: Select Commenting, filling in form fields, and signing signature fields
            Leave selected: "Enable text access for screen reader devices for the visually impaired"
            Change Permissions Password (insert a strong password)
            Leave all other settings alone in "Options"
            OK - OK
            Re-enter the Permissions Password (the one you entered above)
            OK - OK
            Save the PDF to apply the security [notice that (SECURED0 will appear after the document title]

• Locking down multiple PDF's at a time

  We want to lock down multiple PDFs at once, meaning we do not want people to be able to save the files or copy text in the PDFs.  When we turn it on one at a time we go to File- Properties- Security tab and change the security method to Password security and so on. We would love to find a way to change that on multiple PDFs at a time. I have done searches for how to do this and they say to click on advanced- Document processing- Batch processing. I am using acrobat 9 Standard and I am not able to see batch processing. Do I need to upgrade to Pro? Or is there a different way to accomplish this task that I am missing?
  Thanks

  I have upgraded to PRO and I still only see this. When I did the install I told it to do a complete install. Is there a plug-in that I need to have for this to work? Any other ideas would be helpful.
  I

• Set Password Policy For System Administrator Account in UCCE Servers

  Hi All,
  We want to setup a password policy ( expires in 30 days) for the local administrator account in all our UCCE servers.
  We found that the all the UCCE services are running in local system account except logger and distributor( these services are running in domain user account).
  Is it a supported configuration ? Are there any impacts with this setting ?
  Thanks a lot in advance!
  Thanks and Regards,
  Thammaya

  Hi,
  what is the UCCE (~ ICM) version? Is there OS hardening applied?
  By the way, yes, if you mean the local "administrator" account, you can do whatever you want to do with it, provided you don't lock yourself out - this should not happen, naturally, having all ICM servers in the domain and you can always use the domain admin (or a user belonging to the domain admins group).
  By the way, I don't really see the meaning of having a local administrator account being enabled. :-)
  G.

• Issue with Lockout Duration in Password Policy in OAM

  Hi,
  We are facing an issue with the lockout duration configuration in the password policies in the identity manager interface for our OAM setup.
  Oracle Access Manager 10g version 10.1.4
  User/Policy Store: ADAM Ldap [Microsoft ADAM 2003]
  After we lock out a user in our LDAP after 5 wrong attempts, the two attribute values in ADAM get updated to 5:
  oblogintrycount
  badPwdCount
  Also I see that "oblockouttime" gets updated with an unix timestamp.
  Now, we have set the "Lockout Duration" in the password policy as 1 hour. So, after 1 hour, the user should be unlocked in ADAM.
  However, after 1 hour when the user tries to login, he/she gets the error that a wrong password has been entered for the userID.
  When we check in ADAM, we see that the value of "oblogintrycount" was indeed reset. However the value of "badPwdCount" did not get reset and is still stuck at 5.
  If we reset both these attribute values to 0, the user can login again.
  Now, is OAM expected to reset both these attribute values to 0, or does it only reset the oblix attributes?
  If it is the latter, is there a way around to resolve this issue? Or are we doing something wrong here?
  Please let us know your feedback.
  Thanks!
  Abhishek.

  OAM only works with the ob* attributes, and not with badPwdCount attribute of the AD (ADAM). I think for some reason the password and account policies of the AD is being triggerred. Disable the AD password policy and it will be Ok.
  Hope this helps. Let us know.

• Password policy not used by WebGate after upgrade (6.1 - 10g)

  Hello,
  Recently, we upgrade our environment from Oblix Netpoint 6.1 to Oracle Access Manager 10g (10.1.4.0.1)
  Together with this update we also upgraded the WebGates that are running on the machines that have OAM 10g installed. We did not perform an upgrade on the WebGates that are running on other web servers. These are still running with the old version.
  The problem we have now is that it seems that our upgraded WebGates don't respect our Password policy. The earlier versions of our WebGate still respect our policy.
  Machine A has OAM 10g installed with an upgraded WebGate (WebGate A). This machine also runs an IIS web server (web server A) which is connected to the WebGate on that machine. The WebGate is configured with OAM 10g on that same machine.
  On web server A, there is a protected website.
  Our password policy is defined as follow:
  -number of login tries allowed: 5
  -lockout duration: 20000000 hours
  -login tries reset: 200 days
  I now try to access my protected website on web server A with User1. Every time I enter a wrong password.
  When I verify this in our Active Directory, I can see that the value of oblogintrycount for User1 increments until 5. When oblogintrycount equals 5, the attribute oblockouttime is added to the profile of User1.
  My user is now supposed to be locked but when I try to login one more time, the value of oblogintrycount is 1 again and the attribute oblockouttime is gone. My user is unlocked again.
  I repeat the same test on web server B that is installed on a different machine. This machine has an earlier version of WebGate installed. This WebGate B is configured with the same OAM 10g as WebGate A.
  I can see in the Active Directory that the value of oblogintrycount for User1 is incremented until it equals 5. At this point, the oblockouttime attribute is added to the profile of User1.
  I see now in my browser a message that my user is locked. When I try to login one more time, my user stays locked.
  Has anyone an idea how this problem can be solved or how this can happen?
  Kind regards,
  Lennaart

  This is just a trial and error suggestion may not actually solve the problem.
  Can you check configuration changes that one has to make with upgraded web gates. That configuration may not be correct and hence you might be getting this problem.
  -Kiran Thakkar

• Locking down Win 8.1

  For security reasons, i need to investigate how to lock down windows 8.1 so that the user is restricted to the desktop only and only has access to a
  certain few applications.
  These PC's are in a domain and are used for either Accounting or POS.
  The software is what it is and changing the software is not an option. 
  Right now, the users log into XP machines. The desired programs auto-load and all is well.
  As of April 1st, the XP POS machines will no longer be PCI compliant. We prefer to step up to win 8.1 stations, but locking them down via group policy is proving to be difficult.
  We don't want third party tools. 
  Certainly this must be achievable via group policy.
  Any assistance will be greatly appreciated.
  Thanks 
  Jerry C
  (originally asked in answers.microsoft.com)

  Jerry
  I am sure you have but have you looked at kiosk mode?
  http://www.geek.com/microsoft/windows-8-1-kiosk-mode-locks-systems-to-a-single-app-1552963/
  http://blogs.msdn.com/b/hyperyash/archive/2013/10/25/enable-kiosk-mode-in-windows-8-1.aspx
  If Kiosk doesnt cut it the below thread has a bit about how to lock it down via GP.
  http://social.technet.microsoft.com/Forums/en-US/6c67d219-dba9-4de8-988f-ae46b19b2ccb/windows-81-kiosk-mode?forum=w8itproinstall
  Wanikiya and Dyami--Team Zigzag

• Forward facing locked down machines... kiosk?

  Hey everyone,
  So I have done a lot of research on this topic, but have yet to find an end-all solution to my conundrum. I have many machines in my network that are forward facing and public use reference terminals that connect to a database of books and things. These
  machines are not and should not be used to casual internet browsing so we have manually locked them down. These machines currently run IE10 Win7x32. The windows side locking down is no problem. But we are having a BIG issue with the current way we allow specific
  sites and lock out all others. 
  In our system, we have an abundance of allowed sites for quick research purposes that these machines are allowed to access. Still technically reference information. For the sake of argument, we have about 25 sites including the main database site that should
  be allowed through a proxy or other filtering system. Currently, we have this proxy based with exceptions built into IE... however, there is around a 255 char limit on that input box (for whatever reason).
  So that brings me to my current solution that is not quite working correctly. I have configured a .PAC script and stored it on a server that these machines can access and an msi for IE10 branding using the IEAK for IE10. This .PAC script does not seem to
  be working the way it should. I got the idea from a site I didn't save, but the basic idea is below:
  function FindProxyForURL(url, host)
  // variable strings to return
  var proxy_yes = "PROXY 255.255.255.255:8080";
  var proxy_no = "DIRECT";
  if (shExpMatch(url, "*.google.com")) { return proxy_no; }
  // Proxy anything else with yes
  return proxy_yes;
  So, my understanding is this would run when sites are accessed, if it matches the if statements it passes and if it doesn't, it defaults to proxy_yes which doesn't exist and thus doesn't load. The ADMX configures the proxy itself and everything should be
  great. 
  My main question: is there a better way to allow sites through to a machine WITHOUT loading the pages first. A simple whitelist/blacklist doesn't necessarily work because it, as far as I understand, still loads the pages but does not display them. Currently,
  it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong. It doesn't seem like the list from our previous installation from GP is being overridden using this method, and it doesn't
  apply to new machines connected to the policy. Of course, I know it is applying because other functions, like the content rating system that I accidentally left on, have caused some problems in the past. 
  We will be upgrading these machines to newer optiplex models and installing Windows 8, so if there is a more effective solution that only works in windows 8, I am willing to try it. 
  Thanks in advance for the help, you guys are always awesome! 

  Hi,
  >>Currently, it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong.
  In addition to IEAK 10, to configure proxy for IE 10 on Windows 7, if our most up-to-date domain controller is Windows Server 2012 or R2, we can use Group Policy Preferences
  Internet Settings extension to configure the proxy setting. Besides, we can also choose to install Remote Server Administrative Tools on a Windows 8 or 8.1 client and manage group policy settings from this client.
  Moreover, another way is that we can try using Group Policy Preferences Registry extension to configure the proxy settings for IE10 on Windows 7.
  Regarding this point, the following thread can be referred to as reference.
  Proxy settings not applying to IE above 8
  http://social.technet.microsoft.com/Forums/en-US/3b0f54d7-7293-49dc-9e3f-e8799c20265b/proxy-settings-not-applying-to-ie-above-8?forum=winserverGP
  Best regards,
  Frank Shen

• Password policy

  I am setting password policy in solaris 10, I want that locked account of user should be unlock after some time with ouit the help of system administrator means the account would be unlock after 30 min automatically.

  Hi,
  Thanks for your reply ...I had already configure the password policy for the solaris servers but when the account got locked, It will only unlocked by the administrator or root user i want that account should be unlock automativally after sometime.