The next step in hardening your Windows operating systems is to address authentication weaknesses. Current operating system versions, regardless of vendor, tend to be more secure and provide more features. If all of the computers in your environment are running the latest version of Windows, then you should disallow older authentication methods. For example, computers that run Windows 2000 or later support NTLMv2 authentication. Earlier versions of Windows only support the older NTLM protocol. If all your computers are running Windows 2000 or later, you can disable support for NTLM.

Remove or disable any unused or inactive user accounts defined for each computer, both locally and in Active Directory (AD). Unused user accounts provide additional targets for attackers. The most dangerous user for any Windows computer is Administrator. This user has elevated permissions and exists on every Windows computer. Attackers know that accessing the Administrator account allows them many ways to compromise a computer. Unfortunately, you can’t delete the Administrator account. But you can disable it. The best way to protect your administrative rights from attackers is to follow these steps:

1. Create new accounts that will become the new Administrator users.

2. Assign the necessary Administrator rights to the new users, or to a group object.

   Test each of the new Administrator accounts to ensure they possess the necessary rights and permissions.

3. Disable the default Administrator account.

Following these steps will make it more difficult for attackers to escalate their privileges to include administrative rights. They have to guess which users now have administrative rights. Many automated attacks target the default Administrator user; so, if you have disabled that user, such attacks will fail. Once you have disabled the Administrator user, remove other users, such as Guest, that you do not need. As with the Administrator user, attackers know that many Windows operating systems have default users no one took the time to remove. They’ll try to use these accounts to compromise your computers.

The next step in hardening Windows authentication is to establish and enforce strong account policies. The Microsoft Security Compliance Toolkit provides many policy recommendations and makes it easy to compare recommendations with the setting you have in place. Create or edit Group Policy to modify settings for the following policies:

• Password policy—Settings for password age, length, complexity, storage, and history. The goal for passwords is to require users to change passwords frequently, but not too frequently. If you force users to change passwords too often and make them too complex, users will likely just write down passwords and keep them close to their workstations. A good rule of thumb is to set the maximum password age to 60 days, enable password complexity, and require that passwords be at least eight characters in length. Users will have to change their passwords every 60 days and create passwords that contain upper and lowercase characters as well as digits or special symbols.

• Account policy—Settings for account lockout duration, threshold, and reset count. Use these settings to make it more difficult for automated tools to use brute-force attacks to guess passwords. A good rule of thumb is to use an account lockout threshold of five to lock a user account after five failed logon attempts. You could set the duration and reset count to 15 to force a user to wait 15 minutes after five failed logons. After 15 minutes, the user could try to log on and have five more attempts before either successfully logging on or being locked out again.

• Kerberos policy—Settings for logon restrictions and ticket lifetimes. These settings tell Windows how long Kerberos tickets should be allowed to live and whether the Kerberos servers should authenticate users on every request. The default ticket lifetime is 10 hours. This default works well unless your environment routinely supports users who work for more than 10 hours at a time. The Kerberos lifetime should be a little longer than a user’s workday.

Ensuring you only have the accounts you need, both at the local computer level and in AD, can reduce your exposure to attack. Reviewing, and if needed, strengthening the password policies will harden your Windows authentication and make it harder for attackers to compromise your Windows computers.