Most of users log on to their local computer and remote computer using username and password combination which is entered using keyboard. This kind of user accounts are vulnerable for guessing simple password and dictionary attack to steal passwords if strong password usage policy has not be enforced. Account lockout policy is also as important as password policy to avoid trial and error method to guess password and dictionary/brute force attack as well.
Password Policy
Various parameters using which we can enforce strong password usage policy are:
Enforce password history
Used to restrict users from using password from specified number of recently used passwords.
Maximum password age
Used is forced to change password after specified number of days otherwise user is not allowed to log on to the system.
Minimum password age
User can’t change password before number of days specified by minimum password age field. After this user can change his password up to number of days specified by maximum password age. Once maximum password age is exceeded user will not be allowed to login to system unless he changes password.
Minimum password length
Password length can not be shorter than number of characters specified by minimum password length.
Passwords must meet complexity requirements
Determines if the password complexity is enforced. The password complexity requirements are as below:
- The password is at least six characters long.
- The password contains characters from at least three of the following five categories:
- English uppercase characters (A – Z)
- English lowercase characters (a – z)
- Base 10 digits (0 – 9)
- Non-alphanumeric (For example: !, $, #, or %)
- Unicode characters
- The password does not contain three or more characters from the user’s account name.
Account Lockout Policy
Account lockout policy is used to defined after how many invalid log on attempts the user account to be locked and for how much duration it remains locked. Account lockout policy is used to protect against password hack by using guess method (trial & error) and dictionary attack.
Scenario that I configured & tested
I want to design a password policy for my active directory users in Windows 2003 Server such that:
- Password length must be at least 6 characters long.
- Password can be valid for maximum 30 days.
- User can be able to change password any time after applying the password policy.
- User should start getting alerts at the time of log in when 7 days are remaining to attain maximum password age i.e. 30 days.
Let’s create the Password policy
- Open Active Directory Users and Computers
- Right click on the Root container and the click Properties
- Click on Group Policy tab
- Click Open button if GPMC is installed otherwise create a new group policy.
- Go to Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.
- Enable “Maximum password age” and enter 30 days. Doing this will satisfy my requirement no. 2.
- Enable “Minimum password age” and enter 0 days. This will satisfy requirement no. 3
- Enable “Minimum password length” and enter 6 characters. This meet my requirement no. 1.
- I haven’t enabled “Password must meet complexity requirements” because I don’t need it. You can if you want.
- To meet requirement no. 4 go to Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. Enable “Interactive logon: Prompt user to change password before expiration” and then enter 7 days in the box.
I also need to create an Account Lockout policy such that:
- User account to be locked after 3 invalid log on attempts.
- Once account locked it should remain locked for 30 minutes.
- Failed log on attempts counter should be reset after 15 minutes of last failed log on attempt made.
Let us create an Account Lockout Policy
- Open Active Directory Users and Computers
- Right click on the Root container and the click Properties
- Click on Group Policy tab
- Click Open button if GPMC is installed otherwise create a new group policy.
- Go to Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy.
- Enable “Account lockout duration” and set it to 30 minutes. To meet requirement no. 2.
- Enable “Account lockout threshold” and set it to 3. To meet requirement no. 1.
- Enable “Reset account lockout counter after” and set it to 15 minutes. To meet requirement no. 3.