Recipe 17.7. Requiring Strong Passwords


Problem

You want to enforce the use of strong passwords for user accounts.

Solution

Using a graphical user interface

  1. Open the Group Policy Object Editor and target the Default Domain Policy.

  2. In the left pane, expand Computer Configuration Windows Settings Security Settings Account Policies Password Policy.

  3. Make sure the box beside Define this policy setting is checked and Enabled is selected.

  4. Click OK.

This setting does not have any effect on users' current passwords. Password complexity is required only after the next password change for each user. For more on how to force users to change their passwords, see Recipe 6.21 in Active Directory Cookbook (O'Reilly).

Discussion

Most users, if given a choice, pick really simple and easy-to-remember passwords. No matter how tight the security is on your systems, if an attacker can crack a user's password, it is all for naught. To combat this, you can enable password complexity on the Default Domain GPO to require users to choose a password that meets the following criteria:

  • Not contain any part of the user's account name

  • Contain at least six characters

  • Contain characters from three of the following:

    Uppercase
    Lowercase
    Digits
    Special character (e.g., %(@!)

By enabling this, you can feel a little better that once users change passwords, they won't choose something trivial (although passwords such as "Mypassword!" still pass the complexity test).

See Also

MS KB 225230, "Enabling Strong Password Functionality in Windows 2000"



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net