Windows 7 / Security and Privacy

---

Enforcing Password Policy

Password policies for domain user accounts and local user accounts are very important in preventing unauthorized access. These settings should help enforce your organization's written computing policies. There are six settings for password policies that enable you to control how passwords are managed. When you are setting top-level account policy for the Default Domain Policy, these policies are located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. When you are setting secondary account policy for a PSO, you configure these settings using similarly named object attributes.

The settings are as follows:

• Enforce Password History When users change their passwords, this setting determines how many old passwords will be maintained and associated with each user. The maximum value is 24. If you enter zero (0), a password history is not kept. On a domain controller, the default is 24 passwords, on a stand-alone server, it is zero passwords.
• Maximum Password Age This determines when users are required to change their passwords. For example, if this is set to 90 days, on the 91st day the user will be required to change his or her password. The default on domain controllers is 42 days. The minimum number of days is 0, which effectively means that the password never changes. The maximum number of days is 999. In an environment where security is critical, you probably want to set the value low-in contrast, for environments where security is less stringent, you could set the password age high (rarely requiring users to change passwords).
• Minimum Password Age How long users must use passwords before they are allowed to change the password is determined by this setting. It must be more than zero days for the Enforce Password History Policy to be effective. In an environment where security is critical, you would probably set this to a shorter time, and to a longer time where security not as tight. This setting must be configured to be less than the Maximum Password Age policy. The maximum value is 998. If you enter zero (0), a password can be changed immediately. The default is 1 day on a domain controller and 0 days on stand-alone servers. This setting helps to deter password reuse by making a user keep a password for at least a certain amount of time.
• Minimum Password Length This is the number of characters that sets the minimum requirement for the length of the password. Again, a more critically secure environment might require longer password lengths than one with reduced security requirements. The maximum value is 14. If you enter zero (0), a password is not required. The default length is seven characters on domain controllers. The default is zero characters on stand-alone servers.
• Password Must Meet Complexity Requirements Complexity requirements for passwords for the domain user accounts are set at a higher requirement than previously in Windows 2000. If this policy is defined, passwords can't contain the user account name, must contain at least six characters, and must consist of uppercase letters, lowercase letters, numerals, and special non-alphabetical characters, such as the percentage sign (%) and the asterisk (*). (Complexity requirements are enabled by default on domain controllers and disabled by default on stand-alone servers for Windows Server 2008.)
• Store Passwords Using Reversible Encryption This is basically an additional policy that allows for plain text encryption of passwords for applications that may need it. By default, it is disabled on Windows Server 2008. Enabling this policy is basically the same as storing passwords as plain text and is used when applications use protocols that need information about the user's password. Because this policy degrades the overall security of the domain, it should be used only when necessary.