Active Directory on Windows Server 2003 supports security policies to strengthen pass- words and their use within an enterprise. Of course, you must design a password pol- icy that is sufficiently daunting to attackers while being sufficiently convenient for users, so that they do not forget passwords (resulting in increased calls to the help desk) or, worse, write down their passwords.
A system running Windows Server 2003 as a member server maintains a policy related to its local user accounts. The local security policy can be managed using the appro priately named snap-in: Local Security Policy.
You will more often be concerned with the policy that affects domain user objects. Domain account policy is managed by the Default Domain Policy. To examine and modify this policy, open Active Directory Users and Computers. Select the domain node and choose Properties from the Action menu. Click the Group Policy tab. The GPO listed as the first, or top object link is the policy object that will drive the domain account policies. It is typically, and in best practice, the Default Domain Policy. Select that policy and click Edit. The Group Policy Object Editor console opens, focused on the Default Domain policy. Navigate to Computer Configuration, Windows Settings, Security Settings, Account Policies.
Lesson 4 Securing and Troubleshooting Authentication 3-39
Password Policy
The domain password policies enable you to protect your network against password compromise by enforcing best-practice password management techniques. The poli cies are described in Table 3-5.
Table 3-5 Password Policies
Policy Description Enforce Pass- word History Maximum Password Age Minimum Password Age Minimum Password Length Passwords Must Meet Complexity Requirements
When this policy is enabled, Active Directory maintains a list of recently used passwords, and will not allow a user to create a password that matches a pass- word in that history. The result is that a user, when prompted to change his or her password, cannot use the same password again, and therefore cannot cir cumvent the password lifetime. The policy is enabled by default, with the maximum value of 24. Many IT organizations use a value of 6 to 12.
This policy determines when users will be forced to change their passwords. Passwords that are unchanged or infrequently changed are more vulnerable to being cracked and utilized by attackers to impersonate a valid account. The default value is 42 days. IT organizations typically enforce password changes every 30 to 90 days.
When users are required to change their passwords—even when a password history is enforced—they can simply change their passwords several times in a row to circumvent password requirements and return to their original pass- words. The Minimum Password Age policy prevents this possibility by requir ing that a specified number of days must pass between password changes. Of course, a password can be reset at any time in Active Directory by an adminis trator or support person with sufficient permissions. But the user cannot change their password more than once during the time period specified by this setting.
This policy specifies the minimum number of characters required in a pass- word. The default in Windows Server 2003 is seven.
This policy enforces rules, or filters, on new passwords.
The default password filter in Windows Server 2003 (passfilt.dll) requires that a password:
■ Is not based on the user’s account name.
■ Is at least six characters long.
■ Contains characters from three of the following four character types:
❑ Uppercase alphabet characters (A…Z)
❑ Lowercase alphabet characters (a…z)
❑ Arabic numerals (0…9)
❑ Nonalphanumeric characters (for example, !$#,%) Windows Server 2003 enables this policy, by default.
Note Configuring password length and complexity requirements does not affect existing passwords. These changes will affect new accounts and changed passwords after the policy is applied.
Account Lockout Policy
Account lockout refers, in its broadest sense, to the concept that after several failed logon attempts by a single user, the system should assume that an attacker is attempt ing to compromise the account by discovering its password and, in defense, should lock the account so no further logons may be attempted. Domain account lockout pol icies determine the limitations for invalid logons, expressed in a number of invalid logons in a period of time, and the requirements for an account to become unlocked, whether by simply waiting or contacting an administrator. Table 3-6 summarizes Account Lockout policies.
Table 3-6 Account Lockout Policies
Policy Description Account Lockout Threshold Account Lockout Duration Reset Account Lockout Counter After
This policy configures the number of invalid logon attempts that will trig ger account lockout. The value can be in the range of 0 to 999. A value that is too low (as few as three, for example) may cause lockouts due to normal, human error at logon. A value of 0 will result in accounts never being locked out.
The lockout counter is not affected by logons to locked workstations. This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user’s account. The policy is not set by default, as it is useful only in conjunction with the Account Lockout Threshold policy. Although the policy accepts values ranging from 0 to 99999 minutes, or about 10 weeks, a low setting (5 to 15 minutes) is sufficient to reduce attacks significantly without unreason- ably affecting legitimate users who are mistakenly locked out. A value of 0 will require the user to contact appropriate administrators to unlock the account manually.
This setting specifies the time that must pass after an invalid logon attempt before the counter resets to zero. The range is 1 to 99999 min utes, and must be less than or equal to the account lockout duration.
Lesson 4 Securing and Troubleshooting Authentication 3-41