By Default in Windows Active Directory environment, the Default Domain Policy is used to establish the account policy settings for all user accounts in the domain, You will find this under Computer Configuration/Policies/Windows Settings/Security Settings. I have already explained the Kerberos GPO policy in my previous article. Lets go through the Password and Account lockout policy in details.
Password policy includes the following options.
- Enforce Password History – Enable this option if you want to specify the required number of consecutive unique passwords before a given password can be used again. This setting prevents users from using the old passwords continuously Default Value – 24 for DCs and 0 for Standalone servers
- Maximum Password Age – This option sets the amount of time a password can be used before the system requires user to pick a new one. The minimum and maximum value can be 1 and 999 respectively. You can put the value as 0 if you want password never to expire.Organizations usually set this value between 30 to 90 days based on the corporate security policy. Default value – 42 days.
- Minimum Password Age – The value set here is the minimum amount of time (in days) a password must be used before a user can change it again. This value indirectly impacts the effectiveness of “Enforce Password History Settings” , how ? Imagine you keep the minimum password age setting as 0 and password history as 5. Now users can change the password five times and use their favourite same old password again. Default Value – 1
- Minimum Password Length – This value determines the minimum number characters required for a user password. Seven or Eight are good minimum characters for a password. Default value 7 and 0 on standalone servers.
- Password Must Meet Complexity Requirements – This policy was previously called as “Password Must Meet Complexity Requirements of Installed Password Filter” A password filter DLL – which is built into Windows Server 2000 and above, defines requirements such as number of characters allowed , whether numbers and letters must be used, whether any part of the username can be used, etc. Windows 2012 DC has the detailed list of requirements that needs to be met if the policy is enabled(See Screenshot). It is set to enabled by default on all DCs.
- Store Passwords Using Reversible Encryption – This policy enables user password to be stored in reversible encryption. Passwords are usually stored in one way hash encryption, enabling this policy would be make it easier for a hacker to crack the password. This policy is disabled by default, it is enabled in rare scenarios eg. Remote Access Services is enabled using CHAP.
Account Lockout Policy includes the following options
- Account Lockout Duration – Determines interval for which the account will be locked out. After the specified time period the account will no longer be locked out and user can try it again. If enabled and value is kept blank than user account would never be unlocked, unless he calls the administrator and gets it done.
- Account Lockout Threshold – It defines how many invalid lockout attempts are allowed before a user account gets locked out. Value Zero will allow accounts to never lock out. The value for this policy usually around 3 to 5 in most of the domain environments.
- Reset Account Lockout Counter After – This setting determines the time interval after which the count of bad logon attempts will start over. Example if you set the value as 30 mins and Account lockout threshold as 3, user can mistype twice and wait for 30 mins after the last attempt to have three tries again.