|< Day Day Up >|| |
Passwords are a critical line of defense in the security wars. Passwords must be sufficiently complex and changed often. Before adding new user accounts, open Server Management from the Start menu, click Users in the console tree, and then click Configure Password Policies to open the Configure Password Policies dialog box (Figure 9-3).
Figure 9-3: Setting password requirements.
Set the minimum password length (at least seven characters). Select the second check box to require that the password be of sufficient complexity—that is, it meets three of the following four conditions:
It includes at least one capital letter.
It includes at least one lowercase letter.
It includes at least one numeral.
It includes at least one nonalphanumeric character (such as +, *, ^, $, and @).
Select the third check box to set the number of days that a password can be used before the system requires a change. The default setting is 42 days. Resist the temptation to make the number smaller. If users are required to change passwords too often, it won’t be long before passwords start appearing on sticky notes in desk drawers or attached to monitors.
At the bottom of the dialog box, you specify when these password policies go into effect. If your Windows Small Business Server is new, postpone activating strong passwords until after you configure the clients but before users log on the first time.
Rules for Good Passwords
A good password has the following characteristics:
It is not a rotation of the characters in a logon name.
It contains at least two alphabetic characters and one nonalphabetic character.
It is at least seven characters long.
It isn’t the user’s name or initials, the initials of his or her children or significant other, or any of these items combined with other commonly available personal data such as a birth date, telephone number, or license plate number.
It isn’t the name of a pet or a favorite sport, drink, television show, or any other personal term that could be easily guessed.
Among the best passwords are alphanumeric acronyms of phrases that have a meaning to the user but are not likely to be known to others. This makes the password easy for the user to remember while at the same time making it hard for an outsider to guess. For example, you could use a catch phrase such as “too good to be true” and change it into the password Twogood2bTru. Or “forever and a day” could be transformed into the password 4ever+24. It just takes a little imagination.
|Security Alert|| |
It pays to educate your users about passwords and password privacy, but most of all, it pays to heed your own advice: make sure the password you select for administration is a good password, and change it frequently. Doing so will help you avoid the consequences of having somebody break into your system and wreak havoc in your own kingdom.
Administrators should have two accounts on the system: one administrative account and one normal user account. Use the normal user account unless you are performing administrative tasks. Because administrative accounts have virtually unlimited privileges, they are a prime target for intruders.
|< Day Day Up >|| |