Developing a corporate security policy — whether it involves antivirus software, safe passwords or personal firewalls — means striking a balance between securing network resources and minimizing user inconvenience.
Part of designing a security policy in Windows is configuring the parameters associated with "account security."
Although systems administrators know the technical details, it is important for IT managers to know how they work so they can make the right decision when determining the configuration settings. Some decisions regarding security policies can compromise overall security because admins tend to favor the solution that solves the problem rather than the one that ensures system security.
These settings are defined in the security section of Group Policy and are referred to as "account policies." An important feature of the account policies is that they can be defined only at the domain level to be effective on domain accounts. That means you cannot define a password policy for individual organizational units. Everyone in the domain uses the same policy.
There is a way in Windows 2008 to apply it more granularly, however. Let's examine the settings of each of these policies, their effect on the overall security strategy and their recommended values.
Password policies define characteristics of a password:
Password complexity – This setting forces the user to use a combination of characters. There are four types of characters recognized for "complexity," including uppercase letters, lowercase letters, numbers and special
To continue reading for free, register below or login
To read more you must become a member of SearchWinIT.com
characters such as &, % and $. To meet the complexity requirement, a password must contain at least three of these features or the user will get an error stating it doesn't meet complexity requirements.
Default setting: Enabled
Recommended setting: Enabled
Store password with reversible encryption – This is for applications that require clear text passwords. Not many of them exist out there anymore.
Default setting: No
Recommended setting: No
Keeping hackers out with account lockout
When a wrong password is entered a certain number of times, the account is locked out and must be reset by the administrator. This foils hackers because even if they guess the password, the account won't work until it is reset and has a new password. It is intended as a secondary line of defense so that hackers can guess only a few combinations at a time.
But account lockout policies can also be frustrating for users and administrators alike. There are a number of normal conditions that will artificially inflate the badPasswordCount value and cause an account to lock out a valid user. Microsoft's account lockout best practices white paper covers those conditions.
For anyone who wants to use them, here are the guidelines:
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.
