Please read the following article written by KLC Consulting, compare these policies to the policies you have at work now, or have had in the past. Explain why password policies are good and how they can be manipulated. If a business has a strict account and management policy in place does that make it safe? Why/Why not? Find an article online that reported a network or data security breach, how did it impact the company?
KLC Consulting, Inc.
IS / IT Security Services
Here are some recommendations on your user account and password management. Keep in mind that your security policies depend strictly on your business requirements! Security and performance move inversely – the higher the security measures, the lower the performance and efficiency.
- Rename the default administrator account Administrator to something harder to guess. This will prevent people from guessing your administrator account. Make sure you remember the new administrator account and password. You will need to login as local administrator to make any changes to the computer configuration, hardware and software installations.
After you have renamed the administrator account, you should no longer see an account named Administrator .
Next, create a decoy account. Create a new user called Administrator , and make sure it does NOT belong to any groups. In another words, when you click on the Member of tab in the user properties in the User Management window, you should not see any groups listed. If you do, remove them. This will make sure this decoy account named Administrator has no access to the server.
If you have the Audit for logon/logoff turned on, you will be able to detect any logon/logoff activities by the decoy Administrator user account. You can detect these activities by using Event Viewer to check Security Logs. This will give you some indication of hacking activities.
- Make sure the passwords for Administrator and regular user accounts are changed every 30 – 90 days to increase server security.
- Password policies on the Windows 2000 should be changed from the default settings.
Here are default password policy settings:
|Enforce password history||1 passwords remembered|
|Maximum password age||42 days|
|Minimum password age||0 days|
|Minimum password length||0 characters|
|Passwords must meet complexity requirements||Disabled|
|Store password using reversible encryption for all users in the domain||Disabled|
Here is the default Account Lockout policy settings:
|Account lockout duration||Not defined|
|Account lockout threshold||0 invalid logon attempts|
|Reset account lockout counter after||Not defined|
Here are some suggested settings for the password policy:
MS = Microsoft NSA = National Security Agency NIST = National Institute of Standards and Technology
|Enforce password history||12 passwords remembered||Users can not re-use passwords from the past 3 years|
|Maximum password age||MS: 42||90 days||User Must change passwords within 90 days. Usually between 30 – 90 days. Sys Admin can decide a reasonable value.|
|Minimum password age||MS: 2||1 days||User can’t reset password within 1 days. This will prevent intruders from constantly trying different passwords.|
|SANS: 1 – 5|
|Minimum password length||MS: 8||8 characters||Usually between 6 – 12 characters. 6-8 characters is a more common length.|
|Passwords must meet complexity requirements||Disabled (You decide)||If set with default passfilt.dll:
|Store password using reversible encryption for all users in the domain||Disabled (You decide)||Usually not set. Learn more from the Microsoft link below.|
Here are some suggested settings for the password policy:
|Account lockout duration||MS: 0 (indefinite)||15 minutes||You must pre-determine the system administration costs to justify this value. You can set to 30 minutes to automatically remove the lockout for accounts, however, most legitimate users will call you anyway when they get locked out. Note: value 0 means to lockout indefinitely. 99999 minutes is the maximum number allowed for this policy.|
|Account lockout threshold||MS: 5||3 invalid logon attempts||Legitimate users should not have to try more than 3 times to get the right passwords. If they do, the account will get locked out. The system administrator can investigate this further to find the reason for the lockout. If many legitimate users are getting locked out, then either this value may be modified accordingly, or someone may be trying to guess passwords to get into the network. 3 attempts is a common value for this policy.|
|Reset account lockout counter after||MS: 30||15-30 minutes||The time required before resetting the counter for bad password attempts. 15 – 30 minutes lockout time is usually sufficient. After this time, the counter for bad password attempts resets to 0. For example, if this value is set to 15 minutes and a user tried 2 bad passwords to logon to his account at 12:00PM, Windows 2000 has a counter remembering that he has 2 bad password attempts. At 12:16PM, this counter will be reset to 0.|
For more information on the settings, you can find details on Microsoft website: Creating User and Group Accounts
4. Make sure users do NOT write down their passwords and post it on the computer monitor, keyboard, or under the desk. You may laugh, but if you check your users, you will be surprised at the number of users who do this. If they do need to write down their password for whatever reason, make sure the passwords are stored in a secure location, i.e. locked drawer.
5. Make sure users do NOT share passwords with other people.
6. Make sure users do NOT reveal passwords to anyone other than the system administrators and people delegated by the system administrators.
7. Enable logging for successful and failed logon/logoff events. This shows you the activities on your system.
8. If you are a system administrator for a business environment, make sure you set the local administrator account for the desktop users. Users should NOT know the passwords for the local administrator account.
If you are a home user, make sure you have a strong password for your Administrator accounts.