Plan password complexity settings for Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2011-07-08

Banner stating end of support date for Office 2010 with link to more info

New security controls are available in Microsoft Office 2010 to help you plan a robust defense against threats while maintaining information worker productivity.

The Encrypt with Password feature in Microsoft Excel 2010, PowerPoint 2010, and Word 2010 contains settings that enable you to enforce strong passwords, such as password length and complexity rules. By using these settings, you can require Office 2010 applications enforce local password requirements or the domain-based requirements that are specified in the Password Policy settings in Group Policy.

In this article:

  • About planning password length and complexity settings

  • Enforce password length and complexity

  • Related password length and complexity settings

About planning password length and complexity settings

By default, there are no restrictions on password length or password complexity for the Encrypt with Password feature, which means that users can encrypt a document, presentation, or workbook without specifying a password. However, we recommend that organizations change this default setting and enforce password length and complexity to help ensure that strong passwords are used with the Encrypt with Password feature.

Many organizations enforce strong passwords for log on and authentication by using domain-based group policies. If this is the case, we recommend that the organization use the same password length and complexity requirements for the Encrypt with Password feature. For more information about strong passwords, including recommendations for determining password length and complexity, see Creating a Strong Password Policy (https://go.microsoft.com/fwlink/p/?LinkId=166269).

Warning

When you establish password policies, you need to balance the need for strong security with the need to make the password policy easy for users to implement. If a password is forgotten or an employee leaves an organization without providing the passwords used to save and encrypt the data, the data is inaccessible until the correct password is available to decrypt the data.

Enforce password length and complexity

When you configure the password settings that Office 2010 provides to enforce password length and complexity, you have the option to use the settings that are included with Office 2010 or in combination with the password settings that are available in the domain-based Group Policy object. If you already enforce strong passwords for domain log on and authentication, we recommend that you configure the password length and complexity settings for Office 2010 the same as they are configured for the Password Policy Group Policy object for the domain.

The password settings included with Office 2010 are listed as follows:

  • Set minimum password length

  • Set password rules level

  • Set password rules domain time-out

You can configure the Office 2010 password settings by using the Office Customization Tool (OCT) or the Office 2010 Administrative Templates for local or domain-based group policies. For information about how to configure security settings in the OCT and the Office 2010 Administrative Templates, see Configure security for Office 2010.

The password settings available for the Password Policy Group Policy object on the domain are listed as follows:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store passwords using reversible encryption

You can use the Group Policy Object Editor to configure the domain-based Password Policy settings (GPO | Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policy). For more information, see Group Policy Object Editor Technical Reference (https://go.microsoft.com/fwlink/p/?LinkId=188682).

The Set password rules level setting in Office 2010 determines the password complexity requirements and whether the Password Policy Group Policy object for the domain will be used.

To enforce password length and complexity for the Encrypt with Password feature, you must do the following:

  • Determine the minimum password length that you want to enforce locally.

  • Determine the password rules level.

  • Determine the password time-out value for domain-based password enforcement. (This is an optional task. You might need to configure this value if there is a custom password filter installed on your domain controller and the default time to wait when contacting a domain controller of 4 seconds is insufficient.)

Determine minimum password length requirement

To enforce password length and complexity, you must first determine the minimum password length that you want to enforce locally. The Set minimum password length setting lets you do this. When you enable this setting, you can specify a password length between 0 and 255. However, specifying a minimum password length does not enforce password length. To enforce password length or complexity, you must change the Set password rules level setting, which is discussed in the following section.

Warning

When you establish password policies, you need to balance the need for strong security with the need to make the password policy easy for users to implement. If a password is forgotten or an employee leaves an organization without providing the passwords used to save and encrypt the data, the data is inaccessible until the correct password is available to decrypt the data.

Determine the password rules level

After you set a minimum password length for local enforcement, you must determine the rules by which password length and complexity are enforced. The Set password rules level setting lets you do this. When you enable this setting, you can select one of four levels, which are as follows:

  • No password checks   Password length and complexity is not enforced. This is the same as the default configuration.

  • Local length check   Password length is enforced but not password complexity. In addition, password length is enforced only on a local basis according to the password length requirement specified in the Set minimum password length setting.

  • Local length and complexity checks   Password length is enforced on a local basis according to the password length requirement specified in the Set minimum password length setting. Password complexity is also enforced on a local basis, which means that passwords must contain characters from at least three of the following character sets:

    • Lowercase a–z

    • Uppercase A–Z

    • Digits 0–9

    • Non-alphabetical characters

    This setting works only if you specify a password length of at least six characters in the Set minimum password length setting.

  • Local length, local complexity, and domain policy checks   Password length and complexity is enforced according to the domain-based Password Policy settings that are set in Group Policy. If a computer is offline or cannot contact a domain controller, the local password length and complexity requirements are enforced exactly as they are described for the Local length and complexity checks setting.

If you want to enforce password length and password complexity by using domain-based settings, you must configure Password Policy settings in Group Policy. Domain-based enforcement has several advantages over local enforcement. Some of the advantages include the following:

  • Password length and complexity requirements are the same for log on and authentication as they are for the Encrypt with Password feature.

  • Password length and complexity requirements are enforced the same way throughout the organization.

  • Password length and complexity requirements can be enforced differently according to organizational units, sites, and domains.

To learn more about enforcing password length and complexity by using domain-based Group Policy, see Enforcing strong password usage throughout your organization (https://go.microsoft.com/fwlink/p/?LinkId=166262).

Determine domain time-out value

If you use domain-based Group Policy settings to enforce password length and complexity for the Encrypt with Password feature and there is a custom password filter installed on your domain controller, you might need to configure the Set password rules domain time-out setting. The domain time-out value determines how long an Office 2010 application waits for a response from a domain controller before it uses the local password length and complexity settings for enforcement. You can use the Set password rules domain time-out setting to change the domain time-out value. By default, the time-out value is 4000 millisecond (4 seconds), which means that an Office 2010 application will use local password length and complexity settings for enforcement if a domain controller does not respond within 4000 milliseconds.

Note

The domain time-out value has no effect unless you enable the Set minimum password length setting, enable the Set password rules level setting, and then select the Local length, local complexity, and domain policy checks option.

The following settings are often used when an organization enforces password length and complexity:


  • Cryptographic agility settings   These settings let you specify the cryptographic providers and algorithms that are used to encrypt documents, presentations, and workbooks.

Note

For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.