Talk to a Security Expert Now: (800) 721-9177

Creating an Acceptable Domain-Wide Password Policy

Have a fresh Microsoft Windows 2003 or 2008 domain just deployed and don’t know where to start?  Inherited a potentially questionable domain and looking for some basic things to check?  Already know what you’re doing and want a sanity-check?
Here are the recommended Password Policy settings to configure to try and creep towards that impossible balance of usability and security. All of these settings should be configured at the Default Domain Controllers OU level.

Minimum Password Length

This is an absolute must.  This controls how long a password must be.  If this is set to 0 then users can (and will) use a blank password to log into their computer.  Believe it or not, but this is actually seen in the real world and can be very disastrous.
Set the minimum password age to 8 characters or more.  Users will whine and complain at first but will eventually adjust to this very basic security requirement.

Complexity Requirements

This controls the complexity a password must meet in order to be used.  When enabled it requires the use of an uppercase, lowercase, number or special character in a password.  If minimum password length is not already defined this also sets it to a minimum of 6 characters. Make sure this is enabled.

Maximum Password Age

This controls how often a password has to be changed.  A password that is not changed frequently enough can be potentially guessed by an attacker; but a password that is changed too frequently can be difficult to remember for end users who will often just write it on a sticky note and hide it under their keyboard.  Not ideal. 90 days is the recommended and generally accepted maximum age.

Enforce Password History

If not configured then a password can be reused over and over again.
Set this to 10 or more days.

Minimum Password Age

Determines the period of time in days that a password must be used before it can be changed.  This setting is used to prevent a nefarious user from quickly changing their password 10 times (or whatever the Enforce Password History setting is set to) in order to reuse their favorite old password again.
Set this to 1 or 2.  Someone hell-bent on reusing their old password can eventually cycle back around to it by changing their password every day, 10 days in a row.  However you likely have more things to worry about if they are willing to go that far.

Store Passwords Using Reversible Encryption

If set to enabled this essentially stores a plaintext copy of all passwords in a plaintext file.  Thankfully by default it is set to disabled.  Don’t ever enable this crazy thing.  And yes, we’ve seen it enabled a number of times.

That’s it for the password policies.  Following these guidelines won’t magically make your users pick decent passwords, but it can prevent them from using blank passwords or their username as their password.  User training, as well as using a passphrase instead of a traditional password, are your best bet for creating a somewhat decent password policy baseline.

This Post Has One Comment

  1. It’d be great if there was some indication here of the threats these rules are supposed to protect against. and how they’re supposed to protect aginst them.

Leave a Reply

Your email address will not be published. Required fields are marked *