Passwords and security
Passwords are the primary means by which unauthorized access to a system is prevented. The stronger the password, the more likely security will remain intact. As part of your security policy, you must require that strong passwords be used by each and every user. (See the upcoming "A few more things about passwords" section for guidelines for crafting strong passwords.) A single account compromised can result in unfettered access to entire systems.
Strong passwords can be enforced using built-in controls in Windows Server 2008. By employing all system-level controls that force strong passwords, little additional effort is required to ensure that users comply with the security policy. New to Windows Server 2008 is password-setting granularity: You may implement password settings on a user or group basis. No longer are you restricted to single, all-encompassing settings for a whole domain, which requires separate domains for separate settings. This occurs commonly where an organization requires different password settings that affect multiple, different administrative accounts.
Accounts Policies define restrictions, requirements, and parameters for the Password, Account Lockout, and Kerberos policies. To access Accounts Policies, follow these steps:
- Choose Start → Run.
- Type gpmc.msc into the Start Search field and press Enter.
- Double-click your forest name to expand its settings.
- Expand Domains, select your domain name once more, and double-click to expand.
The Group Policy Management Console appears. An additional dialog box may also appear, stating that you've selected a link to a Group Policy Object (GPO) and that any changes made here are exercised globally wherever this GPO is linked (except for changes to link properties). - Right-click the Default Domain Policy entry and choose Edit. The Group Policy Object Editor appears.
- Under the Computer Configuration node, expand the Windows Settings item.
- Under the Windows Settings node, expand the Security Settings item.
- Under the Security Settings node, expand the Account Policies item.
Now you can see the Password, Account Lockout, and Kerberos policies in the right pane of the Local Security Settings window.
Password Policy
After you've found the Account Policies option, you can access the Password Policy by choosing Account Policies → Password Policy. The six options allow you to control the requirements for user passwords. The higher you raise the bar in each of the six options, the stronger the password requirements become, thereby making it increasingly less likely that brute-force attacks will succeed against your system.
In the following list, we briefly explain each option, spell out the default setting, and recommend the most appropriate settings for general use:
- Enforce Password History: We recommend a setting of 5 or greater, which means that the system remembers the last five passwords used so he or she can't reuse any of them.
- Maximum Password Age: Use this option to define when passwords expire and must be replaced. We recommend settings of 30, 45, or 60 days.
- Minimum Password Age: Use this option to define how long a user must wait before changing his or her password. We recommend settings of 1, 3, or 5 days.
- Minimum Password Length: Use this option to define the smallest number of characters that a password must include. We recommend at least eight characters for best results.
- Passwords Must Meet Complexity Requirements: (Astute observers may notice that this was disabled by default in previous versions.) Complexity requirements are rules, such as, requiring both capital and lowercase letters, requiring use of numerals, and requiring nonalphanumeric characters. If native password requirements aren't sufficient, we recommend that you research complexity requirements further by using the Windows Server 2008 Help and Support feature or the Windows Server 2008 Resource Kit.
- Store Password Using Reversible Encryption for All Users in the Domain: By enabling this attribute, you can use Shiva Password Authentication Protocol (SPAP), which is a security authentication mechanism for the Point-to-Point Protocol (PPP) developed by Shiva Corporation. Leave this disabled unless SPAP is required by a client.
Account Lockout Policy
The next policy in Account Policies is the Account Lockout Policy, which governs when user accounts are locked out because of repeated failed logon attempts. (Choose Account Policies → Account Lockout Policy.) Lockout prevents brute-force logon attacks (in which every likely or possible password is attempted) by turning off user accounts. The options are as follows:
- Account Lockout Duration: Use this option to define how long to lock out an account. A setting of Forever requires an administrator to unlock an account. We recommend a setting of 30 minutes or more.
- Account Lockout Threshold: Use this option to define how many failed logon attempts result in lockout. We recommend a setting of 3 to 5 invalid logon attempts.
- Reset Account Lockout Counter After: Use this option to define the time period after which the failed logon count for an account is reset. We recommend a setting of 15 minutes.
Kerberos Policy
The last policy in Account Policies is the Kerberos Policy, which governs the activity of secured communication sessions. (Choose Account Policies → Kerberos Policy.) Kerberos is an advanced network authentication protocol. Using Kerberos, clients can authenticate once at the beginning of a communications session and then perform multiple tasks during that session without having to authenticate again. Kerberos is used to prove the identity of a client and a server to each other. After such identity verification occurs, communications can occur without repeating this process (or at least until the communications link is broken).
The options for this policy are specified in the following list with their recommended settings:
- Enforce User Logon Restrictions: Enabled
- Maximum Lifetime for Service Ticket: 600 minutes
- Maximum Lifetime for User Ticket: 10 hours
- Maximum Lifetime for User Ticket Renewal: 7 days
- Maximum Tolerance for Computer Clock Synchronization: 5 minutes
For more information on establishing a secure baseline in Windows Server 2008, please download the Microsoft Windows Server 2008 Security Guide and visit the Microsoft Security Web site (www.microsoft.com/security/default.mspx).
A few more things about passwords
Whether you enable software controls to restrict passwords, we recommend that you include the following elements in your organization's security policy regarding passwords:
- Require a minimum of six characters; longer is better.
- Prevent the e-mail address, account name, or real name from being part of the password.
- Don't use common words, slang, terms from the dictionary, or other real words in passwords.
- Don't write passwords down, except to place them in a vault or safety deposit box.
- Don't use words, names, or phrases associated with users, such as family, friends, hobbies, pets, interests, books, movies, or workspace.
- If real words are used, garble them using capitalization, numbers, or nonalphanumeric characters - for example, Go7Ril-la instead of gorilla.
- Use numbers or nonalphanumeric characters to replace letters - for example, ALT3RN8 L3TT3R1N9 (or "alternate lettering").
- Use at least three out of four types of characters: uppercase, lowercase, numerals, nonalphanumeric (symbols, punctuation).
- Create acronyms to use as passwords from sentences - for example, Fifty-five dollars will pay a parking ticket = 55DwPaPt.
Through a combination of Windows Server 2008-enforced password restrictions and company security policy rules, you can improve the security of your system through the use of strong passwords.