Password and Account Policies

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 5, Windows NT Administrator's Pocket Consultant by William R. Stanek.

Windows NT accounts use passwords to authenticate access to network resources. A password is a case-sensitive string that can contain up to 14 characters. Valid characters for passwords are letters, numbers, and symbols. When you set a password for an account, Windows NT stores the password in an encrypted format in the account database.

Simply having a password isn't enough. The key to preventing unauthorized access to network resources is to use secure passwords. The difference between an average password and a secure password is that secure passwords are difficult to guess and crack. You make passwords difficult to crack by using combinations of all the available character types including lowercase letters, uppercase letters, numbers, and symbols. For example, instead of using happydays for a password you would use haPPy2Days&, Ha**y!dayS, or even h*PPY%d*ys.

Unfortunately, no matter how secure you initially make a user's password, eventually the password is usually chosen by the user. Because of this, you'll want to set account policies. On a Windows NT domain, you can set a domain-wide account policy with User Manager for Domains. To do this, complete the following steps:

Start User Manager for Domains.
Select Account from the Policies menu.
You should now see the Account Policy dialog box shown in Figure 5-1. Use the areas of this dialog box to configure your account policy, and then click OK.

Figure 5-1: Use the Account Policy dialog box to set policies for passwords and general account use. The top line of the dialog box shows the name of the computer or domain you are configuring. Be sure that this is the appropriate network resource to configure.

The Account Policy dialog box is divided into two main areas: Password Restrictions and Account Lockouts. Password Restrictions set the characteristics of passwords. Account Lockouts control access to the account. The No Account Lockout and Account Lockout radio buttons determine whether account lockout controls are active. Select the Account Lockout button to set lockout controls. The fields in the Account Policy are these:

Maximum Password Age
Minimum Password Age
Minimum Password Length
Password Uniqueness
Lockout After X Bad Logon Attempts
Reset Count After
Lockout Duration
Forcibly Disconnect Remote Users From Server When Logon Hours Expire
Users Must Log On In Order To Change Password

Their uses are discussed in the following sections.

Maximum Password Age

Maximum Password Age determines how long users can keep a password before they have to change it. The aim is to periodically force users to change their passwords. When you use this feature, set a value that makes sense for your network. Generally, you use a shorter period when security is very important and a longer period when security is less important.

By default, this field is set to 42 days. However, you can set it to any value from 1 to 999. Good values where security is a concern are 30, 60, or 90 days. Good values where security is less important are 120, 150, or 180 days.

Although you may be tempted to set no expiration date, there is a check box on the main User Properties dialog box that allows you to specify whether this policy should be enforced for a particular user. Ideally, you should use the check box to override the expiration on a case-by-case basis rather than set a blanket policy that passwords don't expire. Users should change passwords regularly to ensure the security of the network.

Note: Windows NT notifies users when they are getting close to the password expiration date. Anytime the expiration date is less than 30 days away, users see a warning when they log on that they have to change their password within X days.

Minimum Password Age

Minimum Password Age determines how long users must keep a password before they can change it. You can use this field to prevent users from cheating the password system by entering a new password and then changing it right back to the old one.

By default, Windows NT lets users change their passwords immediately. To prevent this, set a specific minimum age. Reasonable settings are from three to seven days. In this way, you make sure that users are less inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to.

Minimum Password Length

Minimum Password Length sets the minimum number of characters for a password. If you haven't changed the default setting, you'll want to do so immediately. The default is to allow empty passwords (passwords with zero characters), which is definitely not a good idea.

For security reasons, you will generally want passwords of at least eight characters. The reason for this is that long passwords are usually harder to crack than short passwords. If you want greater security, set the minimum password length to 14 characters.

Password Uniqueness

Password Uniqueness sets how frequently old passwords can be reused. You can use this control to discourage users from changing back and forth between a set of common passwords. Windows NT can store up to 24 passwords for each user in the password history. Windows NT does not, however, keep a password history by default.

To use this feature, set the size of the password history using the Remember Passwords field. Windows NT will then track old passwords using a password history that is unique for each user and users will not be allowed to reuse any of the stored passwords.

Note: To discourage users from cheating the Password Uniqueness control, you shouldn't allow them to change passwords immediately. This will prevent users from changing their passwords several times to get back to their old passwords.

Lockout After X Bad Logon Attempts

Lockout After X Bad Logon Attempts sets the number of logon attempts to allow before locking out an account. If you decide to use lockout controls, you should set this field to a value that balances the need to prevent account cracking against the needs of users who are having difficulty accessing their accounts.

The main reason users may not be able to access their accounts properly the first time is that they forgot their passwords. If this is the case, it may take them several attempts to log on properly. Users could also have problems accessing a remote system where their current passwords don't match the passwords the remote system expects. If this happens, several bad logon attempts may be recorded by the remote system before the user ever gets a prompt to enter the correct password. The reason is that Windows NT may attempt to automatically log on to the remote system.

The field accepts values from 1 to 999. However, the higher the value, the higher the risk that a hacker may be able to break into your system. A reasonable range of values for this field is between 7 and 15. This is high enough to rule out user error and low enough to deter hackers.

Reset Count After

Every time a logon attempt fails, Windows NT raises the value of a counter tracking the number of bad logon attempts. The field accepts values from 1 to 99,999. As with the Lockout field, you need to select a value that balances security needs against valid user access needs. A good value is from one to two hours. This waiting period should be long enough to force hackers to wait longer than they want to before trying to access the account again.

The lockout counter is reset in one of two ways. If a user logs on successfully, the counter is reset. If the waiting period for the Reset Count After field has elapsed since the last bad logon attempt, the counter is reset.

Note: Bad logon attempts to a workstation against a password-protected screen saver do not increase the lockout counter. Similarly, if you lock a server or workstation using Ctrl+Alt+Delete, bad logon attempts against the Unlock dialog box do not count.

Lockout Duration

If someone violates the lockout controls, Lockout Duration sets the length of time the account is locked. You can set the lockout duration to a specific length of time using the Duration field or to an indefinite length of time using the Forever field.

The best security policy is to lock the account indefinitely. When you do, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, you can determine what the user is doing wrong and help the user avoid future problems.

Tip When an account is locked out, the Account Locked Out check box is displayed in the Properties dialog box for the user. To unlock an account, all you need to do is uncheck this check box.

Forcibly Disconnect Remote Users From Server When Logon Hours Expire

This field ensures that users can only connect to servers during their valid logon hours. Valid logon hours can be set for each individual user account using the Logon Hours dialog box (which is covered in detail later in this chapter).

If you do not select this field, a user who logs on during normal logon times can remain on the network after hours. If you do, all current network connections remain open but any new connection attempts are rejected.

Note: If this policy is set, remote users will see a warning to log off the system. Users who do not log off are disconnected when the logon time expires (if Windows NT systems are used). On non-Windows NT systems, users are not forcibly disconnected. Here, they simply cannot log on to the domain during the restricted hours.

Users Must Log On In Order To Change Password

This field is used to determine what happens when a user's password expires. If the field is not checked, users can still log on after their account has expired—the catch is that they will have to change their password immediately. On the other hand, if the field is checked, users cannot log on if their account has expired. The user is denied access to the system and only an administrator can change the user's password, which effectively resets the account.

Additional Password Controls

Beyond the basic password and account policies, Windows NT includes facilities for creating additional password controls. These facilities are available in the Password Change Filter DLL (PASSFILT.DLL). When you install Service Pack 3 or later, this linked library is copied to your %SystemRoot%\System32 directory, where %SystemRoot% is the base directory for the Windows NT operating system. You can use the Password Change Filter DLL to set strong password filtering. This filtering enforces the use of secure passwords that follow these guidelines:

Passwords must be at least six characters long.
Passwords cannot contain the user name, such as stevew, or parts of the user's full name, such as Steve.
Passwords must use three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.

To set up strong password filtering, you need to:

Make sure that the file Passfilt.dll is in the %SystemRoot%\System32 directory.

Add the value PASSFILT to the registry key:
```
 HKEY_LOCAL_MACHINE
 \System
 \CurrentControlSet
 \Control
 \Lsa
 \Notification Packages
```

As shown in Figure 5-2, on the following page, be sure to place the PASSFILT value on its own line without altering the current entry for FPNWCLNT.

Use the PassProp Utility in the Windows NT Resource Kit to manage the strong password filtering once it's enabled.

Figure 5-2: In the Multi-String Editor, be sure to place the value PASSFILT on its own line. When you are finished, there should be two entries for the Notification Packages key: FPNWCLNT and PASSFILT.

User Rights Policies

Chapter 4 covered built-in capabilities and default user rights. Although you cannot change built-in capabilities for accounts, you can administer user rights for accounts. Normally, you grant user rights to users by making them members of the appropriate group or groups. However, you can also grant rights directly, and you do this by managing the user rights for the user's account.

Note: Keep in mind that changes you make to user rights can have a far-reaching effect. Because of this, only experienced administrators should make changes to the user rights policy.

Table 5-1 provides an overview of the basic and advanced user rights on Windows NT. Use this table to help you understand the meaning of various rights. For a domain, rights generally apply to all domain controllers in the domain. For a workstation, rights generally apply only to the single workstation.

Note: Any user who is a member of a group assigned a right also has the right. For example, if the Backup Operators has the right and GIJOE is a member of this group, GIJOE has this right as well.

Table 5-1 Basic and Advanced User Rights on Windows NT Systems

User Rights	Type of Right	Description
Access computer from network	Basic	The user can connect to the computer through the network.
Act as part of operating system	Advanced	Allows user to perform operations as a trusted and secure part of the Windows NT operating system. Some Windows NT subsystems have this right, as does the pseudo-account system.
Add workstations to domain	Basic	Allows a user to add workstations to the domain. This right can be granted to users who are not members of the Administrators, Operators, or Power Users groups. However, you cannot revoke this right for privileged groups, such as Administrators.
Back up files and directories	Basic	The user can back up files and directories on the computer. The user can do this regardless of the permissions on the files and directories.
Bypass directory traverse checking	Advanced	Users can change directories and traverse directory trees even if they don't have permission to access a particular directory.
Change system time	Basic	Allows user to set the time for the internal clock on the computer.
Create a pagefile	Advanced	The user can create pagefiles. Security for pagefiles is in accordance with the registry key \CurrentControlSet\Control\Session.
Create a token object	Advanced	Used to create the user token for logon. Although you can assign this right, only the local security authority can use this right properly.
Create permanent shared objects	Advanced	A system right used to grant the right to create permanent shared resources, such as devices used by Windows NT.
Debug programs	Advanced	Allows user to debug low-level objects, such as threads.
Force shutdown from remote system	Basic	The user can shut down a remote system.
Generate security audits	Advanced	Allows the user to generate security audit trails, which are written to the security log.
Increase quotas	Advanced	Enables user to increase object quotas.
Increase scheduling priority	Advanced	Enables user to increase the priority of a process, such as a scheduled printer job.
Load and unload device drivers	Basic	The user can load and unload Windows NT device drivers.
Lock pages in memory	Advanced	Allows the user to lock pages in memory so they cannot be written out to PAGEFILE.SYS.
Log on as a batch job	Advanced	Enables the user to log on using a batch queue facility.
Log on as a service	Advanced	The user can log on as a service. Generally, you set service options using the Services utility on Control Panel or through the Server Manager.
Log on locally	Basic	Allows the user to log on using the computer's keyboard.
Manage auditing and security log	Advanced	The user can manage the auditing and security log.
Modify firmware	Advanced	Enables the user to modify system environment variables.
Profile single process	Advanced	The user can measure system performance by profile capabilities on individual processes.
Profile system performance	Advanced	The user can measure system performance using profile capabilities.
Replace a process level token	Advanced	Allows the user to change a process's security access token. Changing security can open your system up to attack. Thus, this right should only be used by Windows NT or the System account.
Restore files and directories	Basic	Enables the user to restore files and directories. The user can do this regardless of the permissions on the files and directories.
Shut down the system	Basic	Allows a user at the computer to shut it down.
Take ownership of files	Basic	The user can take ownership of files, regardless of the permissions on the files.

Administering the User Rights Policy

To administer the user rights policy, start User Manager and then select User Rights from the Policy menu. You should now see the User Rights Policy dialog box shown in Figure 5-3. Use the Right selection menu to select the user right you want to modify. As you select rights, the Grant To list box shows you the users and groups who have been assigned this right.

To grant a right to a user or group, do the following:

Select the user right you want to modify using the Right selection menu. Display advanced user rights by selecting the Show Advanced User Rights check box (if necessary).
Click Add, and then use the Add Users and Groups dialog box to grant the right to additional users and groups.

Figure 5-3: The User Rights Policy dialog box lets you modify the default user rights policy for domains and individual computers. The domain or computer you are modifying is shown at the top of the dialog box.

To revoke an existing right, do the following:

Select the user right you want to modify using the Right selection menu. Display advanced user rights by selecting the Show Advanced User Rights check box (if necessary).
Select the users or groups for whom you want to revoke the right, and then click Remove.

Click to order

Password and Account Policies

Maximum Password Age

Minimum Password Age

User Rights Policies

Additional resources