7.2: Securing Authentication in Active Directory
7.2.1: Account Policy
Account policy settings are implemented by the group policy object linked to the domain with the highest priority.
On installation of Windows server 2003 the DEFAULT DOMAIN POLICY will control Account Policy settings for the Domain. The three main areas inside the account policies section of a group policy object include Password policy, Account Lockout policy and Kerberos policy. The policy settings configured in each of these areas will affect ALL domain users and should be configured to suit an organizations security needs
Password Policy - Used to protect a network against password compromise, policies include:
-
Enforce Password history. Default value 24 (max)
-
Maximum password age. Default value 42 days
-
Minimum password age Default value 1 day
-
Minimum password length Default value 7 characters
-
Passwords must meet complexity requirement Default Enabled
-
Store password using reversible encryption (really for non-Windows clients, e.g. MAC users; Windows encrypts passwords anyway) Default Disabled
NOTE: Windows 98 and NT4 both support passwords up to 14 characters long, Windows 2000, XP and server 2003 all support passwords up to 127 characters long
Account Lockout Policy - Used to control what happens when a user attempts to log in with the incorrect credentials
-
Account lockout duration (0 to 99999 minutes) Default Not Defined
-
Account lockout threshold (l0 to 999) Default 0 invalid logon attempts
-
Reset account lockout counter after (1 to 99999 minutes) Default Not Defined
NOTE: the Administrator must unlock an account that has been locked. The Administrator CANNOT manually lock an account; they can only disable an account.
