By now I’ve drummed into your head that you should be reading http://blogs.technet.com/sbs right?
Good. So now you should know that if you do or plan to do EBS stuff you should be reading the http://blogs.technet.com/essentialbusinessserver right?
Now for that one, I’d say set the password policy to something more realistic than 42 days. If you make the passwords more complex and passphrases, you can make the length longer than 42 days.