Understanding Account Policies on Windows Server
Since passwords and PINs are important, we need to secure them--whether or not it means having complex and longer passwords or changing passwords regularly. This article will provide an understanding of how to manage account policies on Windows Server 2003, and any individual Windows system and Active Directory.
Password policy
Each Windows system, including Windows Server 2003 and Windows XP, has its own local account policies. Domain controllers are bound by Domain Controller Security Policy. The account policy in each computer governs locally created accounts and passwords.
To look at the Account Policy in your local computer:
1. Control Panel -> Administrative Tools
2. Open Local Security Policies, and expand Account Policies
You should now be looking at this figure below.
The following table explains what the settings in Password Policy do:
Password Policy Settings
Settings | Description |
Enforce Password History | If 10 is specified, the system will prevent users from recycling the previous 10 passwords used when users are changing their passwords. |
Maximum Password Age | This setting indicates the password can be used for the period specified. If 30 days is specified, users can use their password for a maximum 30 days. |
Minimum Password Age | If 1 day is specified, users cannot change their password again on the same day. This prevents users from changing their password on the same day numerous times such that they may end up reusing their initial password. This is used in conjunction with "Enforce Password Policy". |
Minimum Password Length | The minimum length of a password. |
Password must meet complexity requirements | Password is not strong unless it's complex. A complex password must satisfy three of the four following categories:
1. Big Character, or characters in upper case (eg. ABCDEGH) 2. Small Character, or characters in lower case (eg. abcdefgh) 3. Digits (eg. 1234567890) 4. Symbols (eg. !@#$%^&*) |
Store password using reversible encryption for all users in the domain | This setting should always be disabled. Storing passwords in reversible encryption is a big security risk. It may allow someone to decrypt a person's password. |
The following table explains what the settings in Account Lockout Policy do:
Account Lockout Policy Settings
Settings | Description |
Account lockout duration | This is the period which the account will remain locked. After the stipulated period, the account will automatically unlock. You can configure by number of minutes for this setting, or specify 0 minutes to require administrator intervention to unlock. |
Account lockout threshold | The number of invalid attempts, where users try and log on before the account gets a lockout. |
Reset account lockout counter after | This is a setting specified in minutes, and is used in conjunction with the earlier threshold setting.
For example, a setting of 5 minutes for this policy together with an Account Lockout Threshold of 3, means that if users have accumulated 3 invalid tries, they should stop trying to log in to prevent the account from being locked. The count of 3 will reset to 0 again after 5 minutes. This prevents the account from being locked permanently. |
Password Policy in Active Directory
In Active Directory, the Domain Security Policy holds the Accounts policy governing all user accounts in the domain. The settings are similar to the local security policy.
To access Domain Security Policy:
1. At a domain controller, Control Panel -> Administrative Tools
2. Open Domain Security Policy
Remember, settings here govern the account policy of the domain. In an Active Directory Domain, the whole domain will share only one account policy.
You may specify additional Group Policies to Organizational Units holding computer accounts of servers with different Account Policies settings, it will not affect domain user accounts. Such policies will only change the local computer account policies and has no effect of Domain Users at all.
What are ideal Account Policies configurations?
The answer depends on the environment. You need to evaluate the value of the information on the network. The more valuable the information, the more secure it needs to be.
The following are some suggested values. You need to evaluate and strike a balance between being secure and being usable. A secure environment would have these:
Suggested Password Policy Settings
Settings | Suggested Values |
Enforce Password History | 24 passwords |
Maximum Password Age | 30 days |
Minimum Password Age | 10 days |
Minimum Password Length | 14 characters |
Password must meet complexity requirements | Enabled |
Store password using reversible encryption for all users in the domain | Disabled |
Suggested Account Lockout Policy Settings
Settings | Suggested Values |
Account lockout duration | 0 min -> Require administrator intervention |
Account lockout threshold | 3 attempts |
Reset account lockout counter after | Not defined |
A not-so-secure environment would have these:
Password Policy Settings
Settings | Suggested Values |
Enforce Password History | 1 password |
Maximum Password Age | 45 days |
Minimum Password Age | 0 days |
Minimum Password Length | 8 characters |
Password must meet complexity requirements | Enabled |
Password must meet complexity requirements | Disabled |
Account Lockout Policy Settings
Settings | Suggested Values |
Account lockout duration | 15 minutes |
Account lockout threshold | 50 attempts |
Reset account lockout counter after | 10 minutes |
Make security policies work
Now that you know where and what the policies settings are, you should evaluate how important passwords are in your environment.
You can educate the users on password security but to enforce it, you need to implement such account policies. User education is still important. You can force your users to use the most complex password known to human, but it is no longer secure if the user has to write the password down in order to remember it.
Policies should not be set too tight such that it inhibits use. For example, a policy that forces a user to change passwords every day would likely cause passwords to be easily forgotten and result in high password reset calls.
Dennis Chung is a systems administrator for Singapore's Ngee Ann Polytechnic. He has been a Microsoft Windows MVP (Most Valued Professional) for almost 11 years, and holds the following certifications: MCP, MCSA, MCSA Security, MCSE, MCDBA and MCT.