User Account Security

If you are using user accounts for access to resources in IIS, it is important that you make sure those accounts are protected. If a hacker were able to get a username and password, he or she would be able to access potentially sensitive data. You can protect against this happening in the following ways.

Force Strong Passwords

The strong-password standard in WS03 is the same as the standard in previous Windows Server versions. When you force strong passwords, any user changing his or her password must meet the following requirements:

  • Passwords must be at least six characters long.

  • Passwords must contain characters from at least three of the following four types of characters:

    • Uppercase letters

    • Lowercase letters

    • Numbers

    • Special characters, such as punctuation symbols

  • Passwords may not contain the user's username or any part of the user's full name.

You can create your own password filters by writing a custom passfilt.dll file, which is the DLL through which password changes are run to make sure they fit a certain profile. Knowledge Base article Q151082 details how to begin writing your own passfilt.dll file. It can be accessed by using TechNet, or on the Microsoft Support site (http://support.microsoft.com) by searching on the article number.

Here's how to enable strong passwords in WS03:

  1. Open the appropriate security policy (domain or local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy)

  2. In the Security Settings MMC, under Account Policies, choose Password Policy.

  3. Double-click on Password Must Meet Complexity Requirements.

  4. Set the Password Must Meet Complexity Requirements to Enabled.

  5. Click OK.

You can also set the minimum password length:

  1. Open the appropriate Security Policy (Domain or Local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy).

  2. In the Security Settings MMC, highlight Password Policy under Account Policies.

  3. Double-click on Minimum Password Length.

  4. Set the Minimum Password Length to a number between 0 and 14. A setting of 0 allows blank passwords.

  5. Click OK.

    Note 

    Although users can have up to 255-character passwords in WS03, through the Local Security Policy, you can force only up to 14 characters. In addition, keep in mind that if you have enabled strong passwords, the minimum password length is 6 characters, even if you set less than that in Minimum Password Length.

Enable Account Lockout

Enabling account lockout allows you to control how may times someone can enter an incorrect password before access is denied. After the threshold is reached, the account is no longer usable for a period of time that you can specify. This can help prevent someone from guessing passwords until he or she successfully logs in with someone else's account information.

Here's how to enable account lockout:

  1. Open the appropriate Security Policy (Domain or Local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy).

  2. In the Security Settings MMC, choose Account Lockout Policy under Account Policies.

  3. Double-click on Account Lockout Threshold.

  4. Set the Account Lockout Threshold to the number of attempts you will allow before the user is locked out. You can choose any setting between 1 and 999 attempts. A setting of 0 disables this option. (A good account lockout threshold should be between three and five incorrect tries.)

  5. Click OK.

  6. A dialog box informs you that the lockout duration and reset counters have been set to 30 minutes.

  7. Set the Account Lockout Duration by double-clicking on Account Lockout Duration. Set the amount of time you want to pass before the account is locked out. You can choose any time period from 1 to 99999 minutes. A setting of 0 will lock out the account until an administrator unlocks it.

  8. Click OK

  9. Set the Reset Account Lockout Counter by double-clicking on Reset Account Lockout Counter. Set the amount of time you want to pass before the lockout counter is reset. You can choose any time period from 1 to 99999 minutes.

  10. Click OK.

Force Periodic Password Changes

Never changing passwords is a security risk, since people who no longer need to know a password for an account will still be able to use that account. In general, passwords should be changed every 90 to 120 days in normal environments.

Here's how to enforce a password age:

  1. Open the appropriate security policy (domain or local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy).

  2. In the Security Settings MMC, highlight Password Policy under Account Policies.

  3. Double-click on Maximum password age.

  4. Set the Maximum Password Age to the number of days for which you want the password to be valid. You can choose any number from 1 to 999 days. A setting of 0 will set passwords never to expire.

  5. Click OK.

Remember Past Passwords

Having the system remember previous passwords prevents a user from using the same password over and over, which defeats the purpose of changing passwords in the first place.

To enforce password history:

  1. Open the appropriate security policy (domain or local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy).

  2. In the Security Settings windows, highlight Password Policy under Account Policies.

  3. Double-click Enforce Password History.

  4. Set Enforce Password History to the number of passwords you want the system to remember. You can choose any number from 1 to 24 previous passwords. Choosing 0 will set the system to not keep a password history.

  5. Click OK.

Set a Minimum Password Age

If you choose to have the system expire passwords and remember a certain number of past passwords, it's a good idea to set a minimum password age as well. For example, suppose you've set up your security system policy to expire passwords every 90 days and remember 24 previous passwords. However, you don't set up a minimum password age. When 90 days rolls around, people can just change their password 24 times that morning, and then choose their old password for the twenty-fifth time, thereby defeating the purpose of remembering passwords!

To enforce a minimum password age:

  1. Open the appropriate security policy (domain or local) by choosing Start | Administrative Tools | Local Security Policy (or Domain Security Policy).

  2. In the Security Settings window, highlight Password Policy under Account Policies.

  3. Double-click Minimum Password Age.

  4. Set the Minimum Password Age to the number of days for which you want the password to be valid. You can choose any number from 1 to 1 minus the number of days for your maximum password age. A setting of 0 will enable passwords to be changed immediately.

  5. Click OK.

Note 

The example for minimum password age may seem a little overcautious, but some people will exploit this to get around password policies. Some problems, however, may be better addressed as a personnel issue, rather than a technical one. This is a good example of one of those types of issues.

Tip 

Sometimes, using minimum password age can be problematic. If someone changes his or her password to something that doesn't work with another application, and that application requires that the password be the same, the user would need to change the second application password. With this policy in place, the user wouldn't be able to do this without administrator intervention.

Use One-Way Encryption for Password Storage

When enabled in the Local or Domain Security Policy, the Store Passwords Using Reversible Encryption policy stores the password using an encryption algorithm that can be used to read back the password from the security database. Normally, this is a one-way hash that is destroyed. This is essentially the same as storing the password in clear text, and it can be a security risk. Disabling this policy causes a one-way hash to be used; this is the default setting.

Don't Create User Accounts with Easy Passwords

Typically, when a user account is created, the person creating the account makes the password the same as the username or some other easy-to-remember word. Unfortunately, this default password is not always changed in a timely fashion. Even if the password is set to be changed at next logon, if the account is not used for some time, the password will be insecure for that entire time. Setting the initial password to a hardened one will reduce the risk of a new user account being hacked.




IIS 6(c) The Complete Reference
IIS 6: The Complete Reference
ISBN: 0072224959
EAN: 2147483647
Year: 2005
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net