Understanding Account Policies on Windows Server

A look at how to manage Account Policies on Windows Server 2003, and any individual Windows system and Active Directory, to maintain a secure environment.

Each day I get into office, I log on to my computer. Each time I go to the ATM, I need my Personal Identification Number (PIN). These passwords and PINs perform a very important role, which is to prove my identity to the system or service I am accessing.

Since passwords and PINs are important, we need to secure them--whether or not it means having complex and longer passwords or changing passwords regularly. This article will provide an understanding of how to manage account policies on Windows Server 2003, and any individual Windows system and Active Directory.

Password policy
Each Windows system, including Windows Server 2003 and Windows XP, has its own local account policies. Domain controllers are bound by Domain Controller Security Policy. The account policy in each computer governs locally created accounts and passwords.

To look at the Account Policy in your local computer:
1. Control Panel -> Administrative Tools
2. Open Local Security Policies, and expand Account Policies

You should now be looking at this figure below.

The following table explains what the settings in Password Policy do:

Password Policy Settings

SettingsDescription
Enforce Password HistoryIf 10 is specified, the system will prevent users from recycling the previous 10 passwords used when users are changing their passwords.
Maximum Password AgeThis setting indicates the password can be used for the period specified. If 30 days is specified, users can use their password for a maximum 30 days.
Minimum Password AgeIf 1 day is specified, users cannot change their password again on the same day. This prevents users from changing their password on the same day numerous times such that they may end up reusing their initial password. This is used in conjunction with "Enforce Password Policy".
Minimum Password LengthThe minimum length of a password.
Password must meet complexity requirementsPassword is not strong unless it's complex. A complex password must satisfy three of the four following categories:
1. Big Character, or characters in upper case (eg. ABCDEGH)
2. Small Character, or characters in lower case (eg. abcdefgh)
3. Digits (eg. 1234567890)
4. Symbols (eg. !@#$%^&*)
Store password using reversible encryption for all users in the domainThis setting should always be disabled. Storing passwords in reversible encryption is a big security risk. It may allow someone to decrypt a person's password.

The following table explains what the settings in Account Lockout Policy do:

Account Lockout Policy Settings

SettingsDescription
Account lockout durationThis is the period which the account will remain locked. After the stipulated period, the account will automatically unlock. You can configure by number of minutes for this setting, or specify 0 minutes to require administrator intervention to unlock.
Account lockout thresholdThe number of invalid attempts, where users try and log on before the account gets a lockout.
Reset account lockout counter afterThis is a setting specified in minutes, and is used in conjunction with the earlier threshold setting.
For example, a setting of 5 minutes for this policy together with an Account Lockout Threshold of 3, means that if users have accumulated 3 invalid tries, they should stop trying to log in to prevent the account from being locked. The count of 3 will reset to 0 again after 5 minutes. This prevents the account from being locked permanently.

Password Policy in Active Directory
In Active Directory, the Domain Security Policy holds the Accounts policy governing all user accounts in the domain. The settings are similar to the local security policy.

To access Domain Security Policy:
1. At a domain controller, Control Panel -> Administrative Tools
2. Open Domain Security Policy

Remember, settings here govern the account policy of the domain. In an Active Directory Domain, the whole domain will share only one account policy.

You may specify additional Group Policies to Organizational Units holding computer accounts of servers with different Account Policies settings, it will not affect domain user accounts. Such policies will only change the local computer account policies and has no effect of Domain Users at all.

What are ideal Account Policies configurations?
The answer depends on the environment. You need to evaluate the value of the information on the network. The more valuable the information, the more secure it needs to be.

The following are some suggested values. You need to evaluate and strike a balance between being secure and being usable. A secure environment would have these:

Suggested Password Policy Settings

SettingsSuggested Values
Enforce Password History24 passwords
Maximum Password Age30 days
Minimum Password Age10 days
Minimum Password Length14 characters
Password must meet complexity requirementsEnabled
Store password using reversible encryption for all users in the domainDisabled

Suggested Account Lockout Policy Settings

SettingsSuggested Values
Account lockout duration0 min -> Require administrator intervention
Account lockout threshold3 attempts
Reset account lockout counter afterNot defined

A not-so-secure environment would have these:

Password Policy Settings

SettingsSuggested Values
Enforce Password History1 password
Maximum Password Age45 days
Minimum Password Age0 days
Minimum Password Length8 characters
Password must meet complexity requirementsEnabled
Password must meet complexity requirementsDisabled

Account Lockout Policy Settings

SettingsSuggested Values
Account lockout duration15 minutes
Account lockout threshold50 attempts
Reset account lockout counter after10 minutes

Make security policies work
Now that you know where and what the policies settings are, you should evaluate how important passwords are in your environment.

You can educate the users on password security but to enforce it, you need to implement such account policies. User education is still important. You can force your users to use the most complex password known to human, but it is no longer secure if the user has to write the password down in order to remember it.

Policies should not be set too tight such that it inhibits use. For example, a policy that forces a user to change passwords every day would likely cause passwords to be easily forgotten and result in high password reset calls.

Dennis Chung is a systems administrator for Singapore's Ngee Ann Polytechnic. He has been a Microsoft Windows MVP (Most Valued Professional) for almost 11 years, and holds the following certifications: MCP, MCSA, MCSA Security, MCSE, MCDBA and MCT.