To defend consumer accounts in the Active Directory area, an administrator should configure and implement a website password coverage that gives ample complexity and size of a password in addition to the frequency of fixing of consumer and repair account passwords. Thus, you may make it onerous for an attacker to crack consumer passwords utilizing the brut pressure assault, or seize a passwords when ship over a community.
By default, to set widespread necessities for a consumer passwords in the AD area the group coverage settings (GPO) are used. The password coverage of the area consumer accounts is configured in the Default Domain Policy.
- To configure the AD account password coverage, open the Group Policy Management console (gpmc.msc);
- Expand your area and discover the GPO named Default Domain Policy. Right-click it and choose Edit;
- Password insurance policies are positioned in the next GPO part: Computer configuration-> Windows Settings->Security Settings -> Account Policies -> Password Policy;
- Double-click a coverage setting to edit it. To allow a selected coverage setting, examine the Define this coverage settings and specify the mandatory worth (on the screenshot beneath, I’ve set the minimal password size to eight characters). Save the adjustments.
- The new password coverage settings will likely be utilized to all area computer systems in the background in a while (90 minutes), throughout pc boot, or you may apply the coverage instantly by operating the
Let’s contemplate all out there Windows password settings. There are six password insurance policies:
- Enforce password historical past – determines the variety of outdated passwords saved in AD, thus stopping a consumer from utilizing an outdated password;
- Maximum password age – units the password expiration in days. After the expiration of this era, the system will immediate a consumer to vary the password. This coverage ensures that customers often change the password;
- Minimum password size – it is strongly recommended that passwords ought to comprise no less than eight symbols (for those who specify zero right here, the password shouldn’t be required);
- Minimum password age – units how usually customers can change their passwords. This setting gained’t enable the consumer to vary the password too usually to get again to an outdated password they like by eradicating them from the Password History log after the password has been modified a number of occasions in a row. As a rule, it’s value to set 1 day right here in order customers can change a password themselves if it will get compromised (in any other case an administrator must change it);
- Password should meet complexity necessities – if the coverage is enabled, a consumer can’t use the account identify in a password (no more than 2 symbols of a
Firstnamein a row), additionally three varieties of symbols have to be used in the password: numbers (zero–9), uppercase letters, lowercase letters and particular characters ($, #, %, and many others.). Also, to stop utilizing weak passwords (from the password dictionary), it is strongly recommended to often .
- Store passwords utilizing reversible encryption – consumer passwords are saved encrypted in the AD database, however in some circumstances it’s important to grant entry to consumer passwords to some apps. If this coverage setting is enabled, passwords are much less protected (virtually plain textual content). It shouldn’t be safe (an attacker can get entry to the password database if the DC is compromised; an can be utilized as one of many safety measures).
In further, the next settings ought to be configured in the GPO part Account Lockout Password:
- Account Lockout Threshold – the variety of failed sign-in (makes an attempt to enter a unsuitable password) might be made by consumer previous to the lockout of his account;
- Account Lockout Duration – how lengthy an account will likely be locked, if the consumer has entered the unsuitable password a number of occasions;
- Reset account lockout counter after – the variety of minutes after which the Account Lockout Threshold counter will likely be reset.
The default settings of password insurance policies in the AD area are listed in the desk beneath:
|Enforce password historical past||24 passwords|
|Maximum password age||42 days|
|Minimum password age||1 day|
|Minimum password size||7|
|Password should meet complexity necessities||Enabled|
|Store passwords utilizing reversible encryption||Disabled|
|Account lockout period||Not set|
|Account lockout threshold||zero|
|Reset account lockout counter after||Not set|
Any AD area can have just one password coverage utilized to the area root (there are some nuances, however we’ll discuss them later). Usually, a website password coverage is configured in the GPO named Default Domain Policy. If you create one other GPO with totally different password settings and apply it to the particular OU, its settings will likely be ignored. The area controller, the proprietor of FSMO’s PDC Emulator function, manages the area password coverage. To edit Default Domain Policy settings, you need to have the area administrator privileges.
The password coverage GPO settings are utilized to all area computer systems (not customers). If you could create separate password insurance policies for various consumer teams, you need to use the that appeared in the AD model of Windows Server 2008. Granular password insurance policies enable to set elevated size or complexity of passwords for administrator accounts (take a look at the article ), or make passwords of some accounts extra easy and even disable them utterly.