Checklist: Changes you should make to password policy default settings

Regardless of your Windows domain operating system, here's a checklist of recommended settings to strengthen your password policy technical controls.

This checklist was updated on Nov. 2, 2004.

I used to hate talking about sensitive subjects, making myself a target. But I just can't ignore the awful truth any longer. Most of corporate America wants to blame its employees for the lack of network security. According to these organizations and some security gurus who should know better, users are hell bent on writing their passwords on sticky notes, clicking on attachments that say, "Click me, your mine!" and handing their laptops to vagabonds along their travels.

People who blame users should recall the idiom about those who live in glass houses -- they shouldn't be throwing stones. Case in point: How many of you have weak password policies or offer little help to users trying to create strong passwords that can be easily remembered? Are you squirming yet? Instead of blaming the user, there are three things that you -- those who set up and support security policy -- must do.

  • Implement Windows technical controls.
  • Write a strong authentication policy and include the consequences of not following it.
  • Provide user training and assistance on your password policy requirements, and reward them for compliance.

While any good password policy should be written independent of the available operating system controls, I'm going to focus this checklist on my first point and detail controls to set in Windows based on what's available. The other two points I'll leave for another day.

If you have implemented Windows Server 2003, some good defaults are already in place. Prior to Windows Server 2003, the default password policy was useless. If you're still using it -- stop. For instance, in Windows XP and Windows 2000, no password history is kept; users can reuse passwords again and again; passwords can immediately be changed, even back to the original password; there is no minimum password length; a blank password is allowable; and no complexity requirements are set (even the user id can be a password).

Regardless of your Windows domain operating system, here's a list of recommended settings to strengthen your password policy technical controls.

You may download a printer-friendly version.

 Checklist: Changes you should make to password policy default settings
Increase password history
Control: Enforce password history
Windows 2000 default: 0 passwords remembered
Windows Server 2003 default: 24 passwords remembered
Recommendation: 26 passwords remembered
Maintain default maximum password age
Control: Maximum password age
Windows 2000 default: 42 days
Windows Server 2003 default: 42 days
Recommendation: 42 days
Increase minimum password age
Control: Minimum password age
Windows 2000 default: 0 days
Windows Server 2003 default: 1 day
Recommendation: 5 days
Increase minimum password length
Control: Minimum password length
Windows 2000 default: 0 characters
Windows Server 2003 default: 7 characters
Recommendation: 15 characters
Enable complexity requirements
Control: Password must meet complexity requirements
Windows 2000 default: Disabled
Windows Server 2003 default: Enabled
Recommendation: Enabled
Enable reversible encryption
Control: Store passwords using reversible encryption
Windows 2000 default: Disabled
Windows Server 2003 default: Disabled
Recommendation: Disabled

Click here to read Roberta's Ask the Expert response about enabling complex passwords.

ABOUT THE AUTHOR:   Go back
Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004


This was first published in October 2004

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close