Domain Policy Settings
Published: February 27, 2008
The security settings in this section of the appendix apply to the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, the following setting groups appear in the Windows Settings sub-node:
Complex passwords that you change regularly help reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. Generally, you configure password policy settings only by using Group Policy at the domain level.
Note Windows Server 2008 supports a new feature called Fine-Grained Password Policies that provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Windows® 2000 and Windows Server® 2003 Active Directory® domains, only one password policy and account lockout policy could be applied to all users in the domain. This guide does not make recommendations for this feature. For more information about Fine-Grained Password Policies, see the AD DS: Fine-Grained Password Policies page on Microsoft TechNet.
You can configure the password policy settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
The following table summarizes the password policy setting recommendations for the two types of secure environments defined in this guide. The subsections after the table describe the purpose and reasoning for the configuration recommendation of each setting.
Table A2. Windows Server 2008 Password Policy Setting Recommendations
Enforce password history
This policy setting determines the number of renewed, unique passwords that must be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Server 2008 is 0 passwords, but when the server is joined to a domain, the default setting is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their passwords.
Maximum password age
This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 1 to 999 days. (You can also set the value to 0 to specify that passwords never expire.) The default value for this policy setting is 42 days. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.
Minimum password age
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.
The value for the Minimum password age setting must be less than the value specified for the Maximum password age setting, unless the value for the Maximum password age setting is configured to 0, which causes passwords never to expire. If the value for the Maximum password age setting is configured to 0, you can configure the value for this policy setting to any value between 0 and 999.
To make the Enforce password history setting effective, you should configure this setting with a value that is greater than 0. If you configure the Minimum password age setting to 0, users can cycle through passwords repeatedly until they can reuse an old favorite.
Minimum password length
This policy setting determines the least number of characters that can make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Windows 2000 and later versions, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Remember that users must be educated about the proper selection and maintenance of passwords, especially with regard to password length.
Password must meet complexity requirements
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this policy setting in Windows Server 2008 is configured to Disabled, but it is set to Enabled in a Windows Server 2008 domain for both environments described in this guide.
When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:
Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack such a password. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1,011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings helps to prevent the success of a brute force attack.
Store passwords using reversible encryption
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. For this reason, you should enable this policy setting only when application requirements outweigh the need to protect password information. The default value for this policy setting is Disabled.
You must enable this policy setting when using the Challenge-Handshake Authentication Protocol (CHAP) through remote access or Network Policy Server service. It is also required when using Digest Authentication in Internet Information Services (IIS).
The account lockout policy is an Active Directory Domain Services (AD DS) security feature that locks a user account. The lock prevents logon after a specified number of failed logon attempts occur within a specified period. Domain controllers track logon attempts, and the number of allowed attempts based on values that are configured for the account lockout settings. In addition, you can specify the duration of the lock.
These policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. However, an enabled account lockout policy will probably result in more support issues for network users. Before you enable the following settings, ensure that your organization wants to accept this additional management overhead. For many organizations, an improved and less-costly solution is to automatically scan the Security event logs for domain controllers and generate administrative alerts when it appears that someone is attempting to guess passwords for user accounts.
You can configure the account lockout policy settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
The following table includes the account lockout policy setting recommendations for both of the security environments defined in this guide. The subsections after the table describe each setting.
Table A3. Windows Server 2008 Account Lockout Policy Setting Recommendations
Account lockout duration
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. The Windows Server 2008 default value for this policy setting is Not Defined.
Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. The recommended setting value of 15 minutes for both of the environments defined in this guide was determined to be a reasonable amount of time for users to wait to log on again. In addition, this setting value provides a level of protection against brute force password attacks. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
Account lockout threshold
This policy setting determines the number of failed logon attempts before a lockout occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The computer with the incorrect password will continuously try to authenticate the user, and because the password it uses to authenticate is incorrect, a lockout occurs. To avoid accidental authorized user lockouts, set the account lockout threshold to a high number. The default value for this policy setting is 0 invalid logon attempts, which disables the account lockout feature.
Because it is possible for an attacker to use this lockout state as a denial of service (DoS) attack by triggering a lockout on a large number of accounts, your organization should determine whether to use this policy setting based on identified threats and the risks you want to mitigate. There are two options to consider for this policy setting.
The first option is:
The second option is:
Reset account lockout counter after
This policy setting determines the length of time before the Account lockout threshold setting resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold setting is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
If you leave this policy setting at its default value or configure the value to an interval that is too long, this may make your environment vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts as described earlier in this appendix. If no policy is determined to reset the account lockout, this is a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users are locked out for a set period until all of the accounts are unlocked automatically.
The recommended setting value of 15 minutes was determined as a reasonable amount of time that users are likely to accept, which should help to minimize the number of calls to the help desk. Users should be aware of the length of time they must wait before attempting to log on so that they only need to call the help desk if they have an extremely urgent need to regain access to their computer.