Account Policies

From GPO.wiki
Jump to: navigation, search
Account Policies
Section: Computer Configuration
Path: Policies \ Windows Settings \ Security Settings

The Account Policies section allows administrators to define security related settings for account handling.

Password Policy

Enforce password history

This setting defines the number of password the client will remember and the user is not allowed to reuse. If the user is trying to use an old, but remembered password, he will receive an error message that the password is not according to the password policy.

Description:

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

Default:

24 on domain controllers. 0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.

Values: Number from 0 to 24. 0 means that no history is kept. N = number of remembered passwords.

Maximum password age

This setting allows password to expire. When the password is expired and the user logs on, he will automatically be forced to change the password.

Description:

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources.

Default: 42.

Values: Number from 0 to 999. 0 means password will not expire. N = number of days after which the password expires.

Minimum password age

This setting defines the time span after a password change in which the user is not allows to change the password. If the user tries to change his password within this timespan, an error message is displayed that the new password does not meet the requirements.

Description:

This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.

Default:

1 on domain controllers. 0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

Values: Number from 0 to 998. 0 means passwords can be changed immediately. N = number of days after which the user can change the password.

Minimum password length

This setting defines the length a new password has to have. If a user enters a shorter password, an error message is displayed that the password does not meet the requirements.

If this policy is set after a user enters a (shorter) password, his old password remains valid until it expires. The new password has to meet the length requirements.

Description:

This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

Default:

7 on domain controllers. 0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

Values: Number from 0 to 14. 0 means no password is required. N = number of characters the password shall be long.

Password must meet complexity requirements

This setting defines if the password must be complex. Complex passwords contain characters from 3 of the following 4 categories:

  • Uppercase characters (A-Z)
  • Lowercase characters (a-z)
  • Digit (0-9)
  • Special characters (e.g. !"§$%&/)=?*'#)

Additionally the password must not contain more than two consecutive characters from

  • Account name
  • Full name (If the full name contains more than one word, each word is checked seperatly)
Description:

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.


Default:

Enabled on domain controllers. Disabled on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

Values: Enabled/Disabled.

Store password using reversible encryption

This setting defines if passwords are stored using the reversible encryption (Hence making them less secure). This setting should be used only if technical reasons require this policy.

Description:

This security setting determines whether the operating system stores passwords using reversible encryption.

This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Default: Disabled.

Values: Enabled/Disabled.

Account Lockout Policy

Account lockout duration

If the account lockout threshold is set, this settings allows administrators to automatically unlock accounts after a certain time period.

If accounts should stay locked until an administrator unlocks them, the value has to be 0. If accounts should be unlocked automatically, the value must be greater 0 and must be equal of greater than the reset time.

Description:

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.

If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.

Values: Number from 0 to 99999. 0 means that accounts will not be unlocked automatically. N = number of minutes after which the account will be unlocked.

Account lockout threshold

Defines the number of failed login attemps after which the account will be locked. A locked account cannot be used until an administrator unlocks it or it is unlocked automatically using the account lockout duration.

Description:

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.

Default: 0.

Values: Number from 0 to 999. 0 means that accounts will not be locked. N = number of attempts after which the account will be locked.

Reset account lockout counter after

Defines the time in minutes after which the failed logon attempt counter is reset.

Example: A user enters a wrong password twice. The counter is set to 2. The third attempt is successful, but the counter stays at 2. To prevent the account from locking over the time, the counter should be reset to 0 after a time period.

Description:

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.

If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.

Values: Number from 0 to 99999. N = number of minutes after which the counter will be reset.

Kerberos Policy

Enforce user logon restrictions

Defines if the Kerberos Distribution Center checks for each request whether the user is allowed to login or not.

Description:

This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

Default: Enabled.

Values: Enabled/Disabled

Maximum lifetime for service ticket

Defines the time a service ticket can be used to access a service. Afterwards the ticket will become invalid.

Description:

This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

Default: 600 minutes (10 hours).

Values: Number from 0 to 99999. 0 means ticket does not expire. N = number of minutes after which the ticket expires.

Maximum lifetime for user ticket

Defines the time a user ticket can be used. Afterwards the ticket will become invalid.

Description:

This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used.

Default: 10 hours.

Values: Number from 0 to 99999. 0 means ticket does not expire. N = number of hours after which the ticket expires.

Maximum lifetime for user ticket renewal

Defines the time during which a user's ticket-granting ticket may be renewed.

Description:

This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.

Default: 7 days.

Values: Number from 0 to 99999. 0 means ticket renewal is disabled. N = number of days within the ticket may be renewed.

Maximum tolerance for computer clock synchronization

Defines the number of minutes the client's clock might differ from the server's time.

Description:

This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.

To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.

Important

This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value.

Default: 5 minutes.

Values: Number from 0 to 99999. N = number of minutes the time on the client might differ from the server's time.