Have a fresh Microsoft Windows 2003 or 2008 domain just deployed and don’t know where to start? Inherited a potentially questionable domain and looking for some basic things to check? Already know what you’re doing and want a sanity-check?
Here are the recommended Password Policy settings to configure to try and creep towards that impossible balance of usability and security. All of these settings should be configured at the Default Domain Controllers OU level.
Minimum Password Length
This is an absolute must. This controls how long a password must be. If this is set to 0 then users can (and will) use a blank password to log into their computer. Believe it or not, but this is actually seen in the real world and can be very disastrous.
Set the minimum password age to 8 characters or more. Users will whine and complain at first but will eventually adjust to this very basic security requirement.
This controls the complexity a password must meet in order to be used. When enabled it requires the use of an uppercase, lowercase, number or special character in a password. If minimum password length is not already defined this also sets it to a minimum of 6 characters. Make sure this is enabled.
Maximum Password Age
This controls how often a password has to be changed. A password that is not changed frequently enough can be potentially guessed by an attacker; but a password that is changed too frequently can be difficult to remember for end users who will often just write it on a sticky note and hide it under their keyboard. Not ideal. 90 days is the recommended and generally accepted maximum age.
Enforce Password History
If not configured then a password can be reused over and over again.
Set this to 10 or more days.
Minimum Password Age
Determines the period of time in days that a password must be used before it can be changed. This setting is used to prevent a nefarious user from quickly changing their password 10 times (or whatever the Enforce Password History setting is set to) in order to reuse their favorite old password again.
Set this to 1 or 2. Someone hell-bent on reusing their old password can eventually cycle back around to it by changing their password every day, 10 days in a row. However you likely have more things to worry about if they are willing to go that far.
Store Passwords Using Reversible Encryption
If set to enabled this essentially stores a plaintext copy of all passwords in a plaintext file. Thankfully by default it is set to disabled. Don’t ever enable this crazy thing. And yes, we’ve seen it enabled a number of times.
That’s it for the password policies. Following these guidelines won’t magically make your users pick decent passwords, but it can prevent them from using blank passwords or their username as their password. User training, as well as using a passphrase instead of a traditional password, are your best bet for creating a somewhat decent password policy baseline.