Task 5.2: Implementing the Password Policy
One of the most important components of securing your information systems is implementing a strong password policy. This is accomplished by editing the Default Domain GPO in the Windows Server 2003 Active Directory Users and Computers management console. Setting the password policy at any other location in the Windows Server 2003 Active Directory or on the local computer affects the local users’ password requirements, not the requirements for their domain user passwords.
In Windows Server 2000 and 2003 Active Directory, each domain may have only one effective password policy. It must be set in a GPO linked to the domain in the AD hierarchy. Windows Server 2008 and Windows Server 2008 R2 Active Directory allow for Fine Grained Password Policies. This is a password policy that may be different at each OU within a domain.
Scenario
You are an administrator in a Windows Server 2003 AD environment. You are responsible for the security of all user accounts. You must implement account policies in your domain to enforce the company standard for these password settings.
Scope of Task
Duration
This task should take 15 minutes.
Setup
You need to strengthen the security of the environment, and a strong password policy is your next step in accomplishing this.
Caveat
It is well recognized that a strong password policy is an essential element of strong security in an environment. However, if the policy is set too rigidly, users struggle to remember their passwords and continuously lock their accounts by entering incorrect passwords, resulting in increased administrative overhead to unlock them, and/or they write down their difficult passwords and store them in a handy location. Unfortunately, this “handy” logon information is also handy for the attacker. By strengthening the password policy too much, you effectively weaken the overall security of the environment.
Modifying any GPO, especially the default domain policy, is a dangerous thing to do. This specific policy affects every computer and every user in the domain. Inappropriate changes to this policy could severely cripple access to your information systems.
Always use caution when modifying any GPO, be sure you understand the ramifications of your configuration, and carefully consider where you have the GPO linked.
Procedure
For this task, you will configure the password policy in the Default Domain GPO with the following password policy settings:
- The password must consist of at least eight characters.
- A password must contain at least one uppercase alpha character, at least one lowercase alpha character, and at least one number or symbol character in the password (password complexity).
- Users must change their passwords every 45 days, and cannot change them again for 35 days once set.
- Users cannot reuse a password for the next 24 new passwords.
- If a user types the wrong password three times in a 30-minute period, the user account gets locked and an administrator must unlock the account before the user can log on.
Equipment Used
For this task, you must have:
- Windows Server 2003 domain controller system
- Domain Administrator access
Details
Setting the Password Policy in the Default Domain Policy
1. Log on to the Windows Server 2003 domain controller system as the Domain Administrator.
2. Select Start ⇒ Programs ⇒ Administration Tools ⇒ Active Directory Users And Computers.
3. Expand the domain. Right-click on the domain name and select Properties.
4. Select the Group Policy tab. Select the Default Domain Policy.
5. Click Edit. Expand the GPO to view Computer Configuration ⇒ Windows Settings ⇒ Security Settings ⇒ Account Policies ⇒ Password Policy.
6. Notice that the Enforce Password History setting is by default set to where you need it: at 24 Passwords Remembered. The range is from 1 to 24 passwords remembered. A setting of 0 means users can reuse the same password.
7. Double-click on Maximum Password Age. Set the Password Will Expire In field to 45 days, and then click OK. The range is from 1 to 999 days. A setting of 0 means passwords never expire.
8. Double-click on Minimum Password Age. Set the Password Can Be Changed After setting to 35 days, and then click OK. The range is from 1 to 998. A setting of 0 means passwords can be changed immediately.
9. Double-click on Minimum Password Length. Set the Password Must Be At Least field to 8 characters, and then click OK. The range is from 1 to 24. A setting of 0 means blank passwords are accepted.
10. Notice that Password Must Meet Complexity Requirements is by default set to Enabled.
Setting the Account Lockout Policy in the Default Domain Policy
1. In the left pane, select Account Lockout Policy. Notice the default settings.
2. Double-click on Account Lockout Duration. Set this to Account Is Locked Out For: 0 Minutes. As you select 0 for the number of minutes, the dialog box changes to read Account Is Locked Out Until Administrator Unlocks It. Click OK. The range is from 1 to 99,999 attempts.
3. Double-click on Account Lockout Thresholds, set Account Will Lock Out After to 3 Invalid Logon Attempts, and then click OK. The range is from 1 to 999 attempts. A 0 setting means the account is never locked out by the Account Lockout Policy.
4. Double-click on Reset Account Lockout Counter After and set Reset Account Lockout Counter After to 30 Minutes; then click OK. The range is from 1 to 99,999 minutes.
5. Close the GPO by clicking the X in the upper-right corner. Click OK in the DomainName.com Properties dialog box, where DomainName.com is the name of your domain.
This policy should be effective within a few minutes of closing the property pages for the domain. Users will experience these settings with their next password change.
Criteria for Completion
You have completed this task when you have modified the Default Domain GPO to match the specified Password Policy settings and the Account Lockout Policy settings.