Domain-level policy in Windows Security Guide

Source: PChome

Introduction

All Account Policy Group Policy settings can be applied at the domain level. The default value is provided in the default Domain Controller Built in the Account Policy, account lock policy, and Kerberos policy. Remember, Microsoft Windows allows only one domain account policy when setting these policies in Microsoft Active Directory: The account policy applied to the domain root domain. The domain account policy becomes the default account policy for any Windows system that belongs to the domain. The only exception to this rule is when another account policy is defined for the organization unit. The account policy settings of the organization (OU) will affect the local policies on any computer in the OU. This module will discuss all the settings for each type.

Account Policy

The account policy is implemented at the domain level. The Microsoft Windows Server 2003 domain must have a password policy, account lock policy, and Kerberos V5 authentication protocol for this domain. Setting these policies at any other level in Active Directory only affects the local account on the member server. If a group requires a separate password policy, the Group should be segmented to another domain or directory forest according to any other requirements.
In Windows and many other operating systems, the most common way to verify user identity is to use a secret pass code or password. To ensure the security of the network environment, all users must use strong passwords. This helps prevent unauthorized users from guessing the threats caused by weak passwords. They use manual methods or tools to obtain creden。 for leaked user accounts. This is especially useful for managing accounts. The Microsoft Excel Workbook "Windows Default Security and Services Configuration" provided with this Guide provides a document for the Default settings. Click here to download.

Regular changes to complex passwords reduce the possibility of successful password attacks. Password Policy settings control the complexity and lifetime of passwords. This section describes the account settings for each specific password policy.

Note: For domain accounts, each domain can have only one account policy. The account policy must be defined in the default domain policy or a new policy linked to the domain root, and the account policy takes precedence over the default domain policy enforced by the domain controller that makes up the domain. The domain controller always obtains account policies from the root directory of the domain, even if there are other account policies applied to the OU containing the domain controller. The root directory of the domain is the top-level container of the domain. Do not confuse it with the root domain in the directory forest. The root domain in the directory forest is the top-level domain in the directory forest.

By default, workstations and servers (that is, domain member computers) that are added to the domain also receive the same account policies for their local accounts. However, by defining an account policy for an OU that contains a member computer, you can distinguish the Local Account Policy of the member computer from the domain account policy.

You can configure account policy settings in the Group Policy object editor at the following locations:

Computer Configuration Windows Settings Security Settings \ Account Policy Password Policy

Force password history

The "force password history" setting determines the number of unique new passwords that must be associated with the user account before the old password is reused.

The possible values of policy settings for this group are:

Value specified by the user, ranging from 0 to 24

Not Defined

Vulnerabilities

Password reuse is an important issue for any organization. Many users want to use or reuse the same account password for a long time. The longer a specific account uses the same password, the more chance an attacker can determine the password through a brute force attack. If you require users to change their passwords, but cannot prevent them from using old passwords, or allow them to reuse a few passwords continuously, the effectiveness of a good password policy will be greatly reduced.

Therefore, setting a lower value enables users to reuse a few identical passwords. If you have not configured the "Minimum Password Use Period", you can change the password multiple times as needed to reuse the original password.

Countermeasure

Set "force password history" to the maximum value of "24 ". Setting this value to the maximum setting helps minimize vulnerabilities caused by password reuse.

Because this setting is valid within the organization, you are not allowed to change the password immediately after "Minimum Password Use Period" is configured. To determine the level of the value, we should consider the maximum length of use of the password and the reasonable Password Change Interval requirements for all users in the Organization.

Potential Impact

The main impact of this setting is that the user must provide a new password whenever the user is required to change the old password. Because users are required to change their passwords to a new unique value, they will write their own passwords to avoid forgetting, which brings greater risks.

Maximum Password Validity Period

The "Maximum Password life" setting determines the number of days before the system requires the user to change the password.

The possible values of policy settings for this group are:

& #8226; Number of days specified by the user, ranging from 0 to 999

Vulnerabilities

Any password can be cracked. With the current computing power, even cracking the most complex password is only a matter of time and processing capabilities. Some of the following settings can increase the difficulty of password cracking within a reasonable period of time. However, changing the password in the environment often helps reduce the risk of a valid password being cracked and reduce the risk of unauthorized access to the password. You can configure the Maximum Password validity period so that you do not need to change the password, but this will cause a considerable security risk.

Countermeasure

Set the maximum number of days for the password to be used between "30" and "60. By setting the number of days to "0", you can set "Maximum Password life" to never expire.

Potential Impact

If the maximum password validity period is set too low, the user is required to change the password very frequently. This may actually reduce the security of the organization, because users are more likely to write their own passwords to avoid forgetting. Setting this value too high will also reduce the security of the Organization, because it can give potential attackers more time to crack the user's password.

Minimum Password Validity Period

The "Minimum Password Use Period" setting determines the number of days before a user can change the password. The minimum password use period must be less than the maximum password use period.

If you want to set "force password history" to valid, set "password shortest life" to a value greater than 0. If you set "force password history" to "0", you do not need to select a new password. If you use the password history, you must enter a new unique password when changing the password.

The possible values of policy settings for this group are:

The number of days specified by the user, ranging from 0 to 998.

Not Defined

Vulnerabilities

If you can use several passwords until you find your favorite old password, it is invalid to force the user to change the password periodically. This setting can be used with the "force password history" setting to prevent this situation. For example, if you set "force password history" to ensure that you cannot reuse the last 12 passwords, and set "password shortest life" to "0 ", then, you can change the password 13 times in a row to return the original password. Therefore, to make the "force password history" setting valid, you must set this setting to greater than 0.

Countermeasure

Set "Minimum Password Use Period" to "2 days ". Setting the number of days to "0" will allow immediate password change. We do not recommend this.

Potential Impact

There is a small problem when you set "Minimum Password Use Period" to a value greater than 0. If the administrator sets a password for the user and wants to change the password defined by the Administrator, the Administrator must select the "Change Password Upon next login" check box. Otherwise, the user can change the password until the next day.

Minimum Password Length

The "Minimum Password Length" setting determines the minimum number of characters that can constitute the user account password. There are many different theories for determining the optimal password length of an organization, but the word "pass code" may be better than "password. In Microsoft Windows 2000 and later versions, the pass code can be quite long and contain spaces. Therefore, phrases such as "I want to drink a $5 milkshake" are valid pass codes, it is much more powerful and easier to remember than a string consisting of 8 or 10 random numbers and letters.

The possible values of policy settings for this group are:

& #8226; user-specified value, ranging from 0 to 14

& #8226; Not Defined

Vulnerabilities

Attackers can perform several types of password attacks to obtain the passwords of specific user accounts. These types of attacks include dictionary attacks that attempt to use common words and phrases, and attempts to use each possible combination of characters. In addition, attackers can perform attacks by obtaining the account database and using the account and password cracking utility.

Countermeasure

Set the "shortest password length" to "8" at least ". If the number of characters is set to "0", the password is not required.

In most environments, we recommend that you use a password consisting of 8 characters, because it is long enough to provide sufficient security and short enough to facilitate user memory. This setting provides sufficient defense against brute-force attacks. Increasing the complexity requirement will help reduce the possibility of dictionary attacks. The complexity requirements will be discussed in the next section.

Potential Impact

Enabling a short password reduces security because using a dictionary attack or brute-force attack tool on the password can easily crack the short password. A long password may cause an incorrect password and cause account locking. Thus, the help desk is prompted?

Requires a very long password may actually reduce the security of the organization, because users are more likely to write their own password to avoid forgetting. However, if users are taught to use the above Code, they should be more easily remembered.

The password must meet the complexity requirements.

The "Password Must Meet the Complexity Requirement" setting determines whether the password must comply with a series of principles that are important to strong passwords.

Enabling this policy requires that the password meet the following requirements:

& #8226; the password must contain at least 6 characters.

& #8226; the password contains three types of characters:

& #8226; uppercase English characters (A-Z)

& #8226; lowercase English characters (a-z)

& #8226; 10 Base numbers (0-9)

& #8226; non-alphanumeric characters (for example :! , $, #, Or %)

& #8226; the password cannot contain three or more characters from the user's account name. If the account name is less than three characters long, this check is not performed because the password is too likely to be rejected. When checking the user's full name, several characters are considered as delimiters that separate names into individual tokens. These delimiters include: comma, period, dashes/hyphens, underscores, spaces, pound characters, and tabs. For each token containing three or more characters, the password is searched. If the token is found, the password is rejected. For example, the name "Erin M. Hagens" will be split into three tokens: "Erin", "M", and "Hagens ". Because the second token only contains one character