Windows Password security issues

Windows default password

When you try to log on to the Active Directory domain, you need to enter the user name, password, and domain name.

When the domain controller receives the information, it analyzes the information based on the user name and password listed in the Active Directory database. If the password is correct, the domain controller verifies the user and then provides the token for the user to obtain access to other resources in the Network/domain.

This information is also sent to the domain controller when a user tries to change the account password. When a user enters a new password and sends the new password to the domain controller, there is a policy to ensure that the Password meets the minimum security standards. The following are some basic password policies (for domains and all local user accounts ):

· Windows Password (Windows Server 2003 domain or later) must contain at least 7 characters

· The password must contain three types of characters: uppercase letters, lowercase letters, numbers, and special characters.

· The new password must be generated 42 days ago to keep the account valid.

· The password cannot be used repeatedly before 24 unique passwords are created.

All these settings are set in the configuration section of the GPO computer, located in the password policy list. Figure 1 shows how to set these password policies.

Figure 1: Password Policy settings in GPO are located in Computer Configuration, Instead of in User Configuration

What controls the domain password policy?

The author found that although Microsoft has released Active Directory for the past nine years, many IT professionals still do not know how the password policy is controlled and how to modify IT, the following are some facts about Windows password policies and functions:

First, the Default Domain Policy GPO (the Default Domain Policy GPO) controls the password Policy for all computers in the entire Domain, including the Domain controller, server, and the entire Active Directory desktop (already included in the Domain ). The Default Domain Policy is related to the Domain node, which includes all computers in the Domain.

Second, any GPO connected to the domain can be used to establish and control password policy settings. GPO has the highest priority at the domain level, this makes it decisive in any settings that conflict with password policy settings.

Third, if GPO is connected to the Organization Unit (OU), it cannot control the user accounts in the OU. This is the most common mistake made by IT professionals. Password Policy settings are not user-based, but computer-based, as shown in figure 1.

Fourth, if GPO is linked to OU, the password policy settings created in GPO will affect the local SAM on any computer of OU, this will enable the password policy settings configured in the GPO linked to this domain to take a dominant role, but only to the local user account of the local SAM stored on these computers.

Fifth, if GPO is linked to the default domain controller OU, it will not control the user Active Directory database stored in the domain controller. The only way to change the password policy settings for a domain user account is to link to the GPO of the domain.

Sixth, most existing Windows Active Directory enterprise versions support the LanManager (LM) function. LM is a very old verification protocol, it is difficult to ensure the security of the password and the generated password hash (used to support verification of this Protocol). There are two GPO settings (actually registry settings) you can control whether LM is supported and whether LM hash is stored. This will be discussed in the following article.

Summary

The default password policy settings for the Active Directory domain are not terrible, but still need to be improved. The default settings are initially set and saved in the default domain policy GPO, which is connected to the domain node. For windows 2000 and Server 2003 domains, there is only one password policy, which means all users (IT staff, developers, managers, human resources, etc) they all have the same password policy control, which is very insecure. You can modify the local SAM of the server and desktop by linking to the GPO of OU (these computer accounts are in the Active Directory). These GPO settings can only control the local user account, not the domain user account. LM is an old insecure authentication protocol, which should be disabled as much as possible.

1. Windows operating system common security problems
2. Other MySQL database security problems
3. Windows Internet access failure Solution