Authentication Policy Options


Authentication policies and other security policies can be applied to stand-alone computers, as well as member computers and domain controllers, by using the Security Configuration Manager Tools. The Security Configuration Manager tools consist of:

  • Local Security Policy

  • Security Settings extension to Group Policy

  • Security Templates snap-in

  • Security Configuration and Analysis snap-in

  • Secedit.exe command-line tool

To set or modify individual security settings on individual computers, use Local Security Policy. To define security settings that are enforced on any number of computers, use the Security Settings extension to Group Policy. To apply several settings in batch, use Security Templates to define the settings, and then apply those settings by using Security Configuration and Analysis or Secedit.exe, or import the template that contains your settings into Local or Group Policy. Figure 15-5 shows the Group Policy snap-in with the Security Settings extensions expanded.


Figure 15-5: Group Policy snap-in

Note 

For more information about working with Group Policy, see Managing Desktops in this book. For more information about security-related Group Policy, see Authorization and Access Control in this book.

The following security policy options are logon options and authentication options that can be configured on a computer running Windows XP Professional. This section does not include security policy options that impact other areas of desktop security management.

Account Policies

Account policies affect Windows XP Professional computers in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows XP Professional computers that are joined to that domain.

Domain-wide account policies are defined in the Default Domain Group Policy object (GPO). All domain controllers pull the domain-wide account policy from the Default Domain GPO regardless of the organizational unit in which the domain controller exists. Thus, while there might be different local account policies for member computers in different organizational units, there cannot be different account policies for the accounts in a domain.

By default, all computers that are not-domain controllers will also receive the default domain account policy for their local accounts. However different account policies might be established for local accounts on computers that are not domain controllers by setting an account policy at the organizational unit level. Account policies for stand-alone computers can be set using Local Security Policy.

Password Policy

To modify the following password policy settings, open Local Security Policy or Group Policy and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.

  • Maximum password age. The number of days a password can be used before the user must change it. Changing passwords regularly is one way to prevent passwords from being compromised. Typically, the default varies from 30 to 42 days.

  • Enforce password history. The number of unique, new passwords that must be associated with a user account before an old password can be reused. When used in conjunction with Minimum password age, this setting prevents reuse of the same password over and over. Most IT departments set a value greater than 10.

  • Minimum password age. The number of days a password must be used before the user can change it. The default value is zero, but it is recommended that this be reset to a few days. When used in conjunction with similarly short settings in Enforce password history, this restriction prevents reuse of the same password over and over.

  • Minimum password length. The minimum number of characters a user s password can contain. The default value is zero. Seven characters is a recommended and widely used minimum.

  • Passwords must meet complexity requirements. The default password filter (Passfilt.dll) included with Windows 2000 Server and Windows XP Professional requires that a password have the following characteristics:

  • Does not contain your name or user name.

  • Contains at least six characters.

  • Contains characters from each of the following three groups: uppercase and lowercase letters (A, a, B, b, C, c, and so on), numerals, symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on).

This policy is disabled by default.

Tip 

It is strongly recommended that you enable this policy setting.

Account Lockout Policy

Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords. To modify lockout policy settings, launch Local Security Policy or Group Policy and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

  • Account lockout threshold. The number of failed logon attempts before a user account is locked out. A locked out account cannot be used until an administrator resets it, or until the account lockout duration expires. You can set values between 1 and 999 failed logon attempts, or you can specify that the account is never locked out by setting the value to 0.

  • This setting is disabled in the Default Domain Group Policy object and in Local Security Policy for workstations and servers. You must change this to enable lockout after a specified number of attempts.

  • Unsuccessful attempts to log on to workstations or member servers that have been locked using either CTRL+ALT+DEL or password-protected screen savers do not count as failed logon attempts under this policy setting. Failed attempts to log on remotely do count.

Account lockout duration. The number of minutes (from 1 to 99999) an account remains locked out before it unlocks. By setting the value to 0, you can specify that the account remains locked out until an administrator unlocks it. By default, this policy is not defined because it has meaning only when an account lockout threshold is specified.

Reset account lockout counter after. Determines how many minutes (1 to 99999) must elapse after a failed logon attempt before the counter resets to 0 bad logon attempts. This value must be less than or equal to the account lockout duration. Typically, a reset time of 30 minutes is sufficient because the purpose of an account lockout is to delay an attack on a password.

To manually reset an account that has been locked out, open the user s property sheet in Active Directory Users and Computers. On the Account tab, clear the Account is Locked Out check box. Even though it is a good practice to reset the user s password at the same time, changing the password does not unlock the account.

Kerberos Policy

Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. Therefore, the Kerberos policy settings can be configured only by means of the default domain GPO, where it affects domain logons performed from Windows XP Professional computers.

For information about Kerberos policy, see Authentication in the Distributed Systems Guide.

Local Policies

In Local Security Policy and Group Policy, three categories of security policy are located under Computer Configuration\Windows Settings\Security Settings\Local Policies:

Note 

For information about Audit Policy see Auditing and Troubleshooting in this chapter.

User Rights Assignment

User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users or Users. The policy settings in this category are typically used to allow or deny users permission to access to their computer based on the method of access and their security group memberships.

In the Local Security Settings and Group Policy snap-ins, the following policy options that affect user rights based on their method of accessing the computer are located under the Computer Configuration\Windows Settings\Security Settings \Local Policies\User Rights Assignment extension:

Note 

The User Rights Assignment extension includes additional policy options that are not listed here.

Security Options

You might want to set the following security options in order to modify logon-related behaviors:

The following policy options are located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:

Note 

The Security Options extension includes additional policy options that are not listed here.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net