In Chapter 3, "Setting Up and Managing User Accounts," you learned about assigning user account passwords and how to unlock an account that was locked by the system. In this lesson, you learn how to improve the security of your user's passwords and how to control when the system locks out a user account.
Password Policy allows you to improve security on your computer by controlling how passwords are created and managed. You can specify the maximum length of time a password can be used before the user must change it. Changing passwords decreases the chances of an unauthorized person breaking into your computer. If an unauthorized user has discovered a user account and password combination for your computer, forcing users to change passwords regularly will cause the user account and password combination to eventually fail and lock the unauthorized user out of the system.
Other Password Policy options are available to improve a computer's security. For example, you can specify a minimum password length. The longer the password, the more difficult it is to discover. Another example is maintaining a history of the passwords used. This prevents a user from having two passwords and alternating between them.
You can configure Password Policy on a computer running Windows XP Professional by using the Group Policy snap-in. You use the Group Policy snap-in to configure Password Policy as follows:
The Select Group Policy Object dialog box appears, allowing you to point the Group Policy snap-in at the local computer or at a remote computer. The Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line check box allows you to configure the MMC so that you can decide which computer to use Group Policy on when you start the MMC.
The console displays the current Password Policy settings in the details pane, as shown in Figure 13.1.
Figure 13.1 The Group Policy snap-in displaying Password Policy settings
Table 13.1 explains the available Password Policy settings.
Table 13.1 Password Policy Settings
Enforce Password History
The value you enter for this setting indicates the number of passwords to be kept in a password history. The default value of 0 indicates that no password history is being kept. You can set the value from 0 to 24, indicating the number of passwords to be kept in password history. This value indicates the number of new passwords that a user must use before he or she can reuse an old password.
Maximum Password Age
The value you enter for this setting is the number of days a user can use a password before he or she is required to change it.
A value of 0 indicates the password will not expire.
The default value is 42 days and the range of values is 0 to 999 days.
Minimum Password Age
The value you enter for this setting is the number of days a user must keep a password before he or she can change it.
The default value of 0 indicates that the password can be changed immediately. If you are enforcing password history, this value should not be set to 0.
You can set the range of values from 0 to 999 days. This value indicates how long the user must wait before changing his or her password again. Use this value to prevent a user who was forced by the system to change his or her password from immediately changing it back to the old password.
The minimum password age must be less than the maximum password age.
Minimum Password Length
The value you enter for this setting is the minimum number of characters required in a password. The value can range from 0 to 14 characters inclusive.
The default value of 0 indicates that no password is required.
Passwords Must Meet Complexity Requirements
The options are Enabled or Disabled (the default).
If enabled, all passwords must meet or exceed the specified minimum password length; must comply with the password history settings; must contain capitals, numerals, or punctuation; and cannot contain the user's account or full name.
Store Password Using Reversible Encryption For All Users In The Domain
The options are Enabled or Disabled (the default).
This enables Windows XP Professional to store a reversibly encrypted password for all users in the domain-for example, to be used with the Challenge Handshake Authentication Protocol (CHAP). This option is only applicable if your computer running Windows XP Professional is in a domain.
The MMC Console displays the properties dialog box for the selected setting. Figure 13.2 shows the properties dialog box for the Maximum Password Age setting.
Figure 13.2 The Maximum Password Age Properties dialog box
By carefully planning and configuring your Password Policy settings you can improve the security of your computer by decreasing the chances of an unauthorized user gaining access to it.
The Account Lockout Policy settings also allow you to improve the security on your computer. If no account lockout policy is in place, an unauthorized user can repeatedly try to break into your computer. If, however, you have set an account lockout policy, the system locks out the user account under the conditions you specify in Account Lockout Policy.
You access the Account Lockout Policy settings using the Group Policy snap-in, just as you did to configure the Password Policy settings. The console displaying the current Account Lockout Policy settings in the details pane is shown in Figure 13.3.
Figure 13.3 The Group Policy snap-in displaying the Account Lockout Policy settings
Table 13.2 explains the settings available in Account Lockout Policy.
Table 13.2 Account Lockout Policy Settings
Account Lockout Duration
The value you enter for this setting indicates the number of minutes that the account is locked out. A value of 0 indicates that the user account is locked out indefinitely until an administrator unlocks the user account. You can set the value from 0 to 99,999 minutes. (The maximum value of 99,999 minutes is approximately 69.4 days.)
Account Lockout Threshold
The value you enter for this setting is the number of invalid logon attempts before the user account is locked out from logging on to the computer. A value of 0 indicates that the account will not be locked out, no matter how many invalid logon attempts are made. You can set the range of values from 0 to 999 attempts.
Reset Lockout Counter After
The value you enter for this setting is the number of minutes to wait before resetting the account lockout counter. You can set the range of values from 1 to 99,999 minutes.
In this practice you configure the Account Policy settings for your computer and then test them to make sure you set them correctly.
Run the AccountPolicy file in the Demos folder on the CD-ROM accompanying this book for a demonstration of configuring account policy.
In this exercise, you use the custom MMC console containing the Group Policy snap-in you created in Chapter 12, "Auditing Resources and Events," and saved with the name Local Group Policy. You use it to configure the minimum password length, one of the Account Policy settings for your computer. You then test the minimum password length to confirm it was correctly configured.
The MMC console opens the Local Group Policy console you created in Chapter 12, "Auditing Resources and Events." If you have not created the Local Group Policy console, see the first practice in that chapter for the steps to create it.
Account Policies has two nodes: Password Policy and Account Lockout Policy.
Windows XP Professional displays the Minimum Password Length Properties dialog box.
A User Accounts message box appears, indicating that your new password does not meet the password policy requirements. This test proves that you correctly configured the minimum password length account policy to eight characters.
In this exercise, you configure and test some additional Account Policy settings.
What settings did you use for each of the three listed items?
Windows XP Professional displays a Logon Message message box indicating that you must change your password at first logon.
Windows XP Professional displays a Change Password message box indicating that your password was successfully changed.
Were you successful? Why or why not?
In this exercise, you configure Account Lockout Policy settings and then test them to make sure they are set up correctly.
If a Suggested Value Changes dialog box appears, click OK and then verify that your settings are correct.
What Account Lockout Policy settings did you use for each of the two conditions?
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."