Guide to Group Policy Setting in Windows Server 2003 - Password Policy & Account Lockout Policy
Account Lockout Policy
You can access Group Policy settings by opening the Microsoft Management Console (MMC) and adding the Group Policy snap-in.
The Account Lockout Policy controls settings related to users attempting to login and entering wrong passwords. While it is possible to set this up so that a person can sit there and try thousands of different passwords in an attempt to find the right one, this is highly unwise and a serious compromise of security. There are three settings for this policy and using them will greatly increase security.
Access the Account Lockout Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy
The three settings that you can set are: Account Lockout Duration, Account Lockout Threshhold, and Reset Account Lockout After. I recommend setting Account Lockout Threshhold to “5 Invalid Login Attempts”. When you do this, it will automatically set the other two settings to “30 Minutes”. When you apply these settings, a user will become completely locked out of the system for 30 minutes if they enter the wrong password 5 times.
Password Policy
The Password Policy controls settings related to each user’s passwords. It is important to enforce a password policy, because the chances of a user giving out their password (accidentally or intentionally) is very high. Thus, requiring them to change their password reasonably often and have it conform to a set of standards that make it very difficult to crack is in your organization’s best interests.
Access the Password Policy from:
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
There are five settings here that you can set. They are: Enforce Password History, Maximum Password Age, Minimum Password Age, Minimum Password Length, and Password Must Meet Complexity Requirements. I recommend that you enforce a password history that is a minimum of 6. This means that a user must change their password six times before they can reuse a password. For Maximum Password Age, I recommend between 30 and 40 Days - this forces users to change their password every number of days specified in this setting.
Minimum Password Age is also important, because it requires users to use their password a certain amount of time before changing it. A smart user could figure out your system and change their password six times in a row, thus bypassing the password change and compromising your network. I recommend a Minimum Password Age of 1 day, and preferably 7 days. For Minimum Password Length, most enterprises require a minimum length of 8, or sometimes 12. The longer the password, the harder it is to crack. You should definitely enforce Password Must Meet Complexity Requirements. Doing so requires passwords to contain a Capital Letter, a Lowercase Letter, a Number, and a Special Character. An example of this is the password: @dministrat0R (though I definitely recommend you not use that one).
This post is part of the series: Windows Server 2003 Group Policy
We take a look at the huge subject of Group Policy. What it is, how it helps Administrators, and some common Group Policy settings that can increase security.
