This checklist was updated on Nov. 2, 2004.
I used to hate talking about sensitive subjects, making myself a target. But I just can't ignore the awful truth any longer. Most of corporate America wants to blame its employees for the lack of network security.
People who blame users should recall the idiom about those who live in glass houses -- they shouldn't be throwing stones. Case in point: How many of you have weak password policies or offer little help to users trying to create strong passwords that can be easily remembered? Are you squirming yet? Instead of blaming the user, there are three things that you -- those who set up and support security policy -- must do.
- Implement Windows technical controls.
- Write a strong authentication policy and include the consequences of not following it.
- Provide user training and assistance on your password policy requirements, and reward them for compliance.
While any good password policy should be written independent of the available operating system controls, I'm going to focus this checklist on my first point and detail controls to set in Windows based on what's available. The other two points I'll leave for another day.
If you have implemented Windows Server 2003, some good defaults are already in place. Prior to Windows Server 2003, the default password policy was useless. If you're still using it -- stop. For instance, in Windows XP and Windows 2000, no password history is kept; users can reuse passwords again and again; passwords can immediately be changed, even back to the original password; there is no minimum password length; a blank password is allowable; and no complexity requirements are set (even the user id can be a password).
Regardless of your Windows domain operating system, here's a list of recommended settings to strengthen your password policy technical controls.
You may download a printer-friendly version.
|Checklist: Changes you should make to password policy default settings|
|Increase password history|
Control: Enforce password history|
Windows 2000 default: 0 passwords remembered
Windows Server 2003 default: 24 passwords remembered
Recommendation: 26 passwords remembered
|Maintain default maximum password age|
Control: Maximum password age|
Windows 2000 default: 42 days
Windows Server 2003 default: 42 days
Recommendation: 42 days
|Increase minimum password age|
Control: Minimum password age|
Windows 2000 default: 0 days
Windows Server 2003 default: 1 day
Recommendation: 5 days
|Increase minimum password length|
|Control: Minimum password length|
Windows 2000 default: 0 characters
Windows Server 2003 default: 7 characters
Recommendation: 15 characters
|Enable complexity requirements|
|Control: Password must meet complexity requirements|
Windows 2000 default: Disabled
Windows Server 2003 default: Enabled
|Enable reversible encryption|
|Control: Store passwords using reversible encryption|
Windows 2000 default: Disabled
Windows Server 2003 default: Disabled
|ABOUT THE AUTHOR: Go back|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in October 2004