Enforcing Strong Password Usage Throughout Your Organization

Introduction

Most users log on to their local computer and to remote computers by using a combination of their user name and a password typed at the keyboard. Although alternative technologies for authentication, such as biometrics, smartcards, and one-time passwords, are available for all popular operating systems, most organizations still rely on traditional passwords and will continue to do so for years to come. Therefore it is very important that organizations define and enforce password policies for their computers that include mandating the use of strong passwords. Strong passwords meet a number of requirements for complexity — including length and character categories — that make passwords more difficult for attackers to determine. Establishing strong password policies for your organization can help prevent attackers from impersonating users and can thereby help prevent the loss, exposure, or corruption of sensitive information. This document explains how to implement strong password policies on computers running the Microsoft® Windows® 2000, Windows XP, andWindows Server™ 2003 operating systems.

Depending on whether the computers in your organization are members of an Active Directory domain, stand-alone computers, or both, to implement strong password policies you will need to perform one or both of the following tasks:

•	Configure password policy settings in an Active Directory Domain.
•	Configure password policy settings on stand-alone computers.

Once you have configured the appropriate password policy settings, users in your organization will be able to create new passwords only if the passwords meet the length and complexity requirements for strong passwords, and users will not be able to immediately change their new passwords.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Top of page

Before You Begin

Before configuring password policies on the computers in your network, you need to identify what settings are relevant, determine what values you will use for those settings, and understand how Windows stores password policy configuration information.

Note: The Windows 95, Windows 98, and Windows Millennium Edition operating systems do not support advanced security features such as password policies. If your network includes stand-alone computers (computers that do not belong to a domain) running these operating systems, you will not be able to enforce password policies on them. If your network includes computers running these operating systems that are members of an Active Directory® directory service domain, you will be able to enforce password policies at the domain level only.

Identifying Settings Related to Password Policies

For Windows 2000, Windows XP, and Windows Server 2003 there are five settings you can configure that relate to password characteristics: Enforce password history, Maximum password age, Minimum password age, Minimum password length, and Passwords must meet complexity requirements. For help in determining values for these settings that match the business requirements of your organization, see "Selecting Secure Passwords" in the Security Guidance Kit.

•

Enforce password history determines the number of unique new passwords a user must use before an old password can be reused. The value of this setting can be between 0 and 24; if this value is set to 0, enforce password history is disabled. For most organizations, set this value to 24 passwords.

•

Maximum password age determines how many days a password can be used before the user is required to change it. The value of this between 0 and 999; if it is set to 0, passwords never expire. Setting this value too low can cause a frustration for your users; setting it too high or disabling it gives potential attackers more time to determine passwords. For most organizations, set this value to 42 days.

•

Minimum password age determines how many days a user must keep new passwords before they can change them. This setting is designed to work with the Enforce password history setting so that users cannot quickly reset their passwords the required number of times and then change back to their old passwords. The value of this setting can be between 0 and 999; if it is set to 0, users can immediately change new passwords. It is recommended that you set this value to 2 days.

•

Minimum password length determines how short passwords can be. Although Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 28 characters, the value of this setting can be only between 0 and 4 characters. If it is set to 0, users are allowed to have blank passwords, so you should not use a value of 0. It is recommended that you set this value to 8 characters.

•

Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:

•

The password is at least six characters long.

•

The password contains characters from at least three of the following five categories:

•	English uppercase characters (A – Z)
•	English lowercase characters (a – z)
•	Base 10 digits (0 – 9)
•	Non-alphanumeric (For example: !, $, #, or %)
•	Unicode characters

•

The password does not contain three or more characters from the user's account name.

If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case insensitive.

These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting.

Understanding How the Windows Operating System Stores Password Policy Configuration Information

Before you implement password policies in your organization, you need to understand a little about how password policy configuration information is stored in Windows 2000, Windows XP, and Windows Server 2003. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings.

There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.

Active Directory domains use Group Policy objects (GPOs) to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide setting including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU, and contains initial security settings for domain controllers.

It is a best practice to avoid modifying these built-in GPOs, if you need to apply password policy settings that diverge from the default settings, you should instead create a new GPO and link it to the root container for the domain or to the Domain Controllers OU and assign it a higher priority than the built-in GPO: If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.

Top of page

Implementing Password Policy Settings Step-by-Step

This section provides the following step-by-step instructions for enhancing security by implementing password policy settings on the computers in your organization.

•	Configuring password policy settings in an Active Directory-based domain.
•	Configuring password policy settings on stand-alone computers.

Configuring Password Policy Settings in an Active Directory-Based Domain

Requirements

•

Credentials: You must be logged on as a member of the Domain Admins group.

•

Tools: Active Directory Users and Computers.

•

To implement password policy on computer systems that belong to an Active Directory domain

1.	Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2.	Right-click the root container for the domain: Note: Screen shots in this document reflect a test environment and the information might differ from the information displayed on your screen.
3.	Select Properties from the menu that appears:
4.	In the properties dialog box for your domain, click the Group Policy tab, and then click New to create a new Group Policy object in the root container. Type "Domain Policy" for the name of the new policy and then click Close. Note: Microsoft recommends that you create a new Group Policy object rather than editing the built-in one called Default Domain Policy because doing so makes it much easier to recover from serious problems with security settings. If the new security settings create problems, you can temporarily disable the new Group Policy object until you isolate the settings that caused the problems.
5.	Right-click the root container for the domain, and then click Properties.
6.	In the properties dialog box, click the Group Policy tab, and then select Domain Policy.
7.	Click Up to move the new GPO to the top of the list, and then click Edit to open the Group Policy Object Editor for the GPO you just created.
8.	Under Computer Configuration, navigate to the Windows Settings\Security Settings\Account Policies\Password Policy folder.
9.	In the details pane, double-click Enforce password history, select the Define this policy setting check box, set the value of Keep password history to 24, and then click OK.
10.	In the details pane, double-click Maximum password age, select the Define this policy setting check box, set the value of Password will expire in to 42, click OK, and then click OK to close the Suggested Value Changes window that appears.
11.	In the details pane, double-click Minimum Password Age, select the Define this policy setting check box, set the value of Password can be changed after to 2, and then click OK.
12.	In the details pane, double-click Minimum Password Length, select the Define this policy setting check box, set the value of Password must be at least to 8, and then click OK.
13.	In the details pane, double-click Password must meet complexity requirements, select the Define this policy setting in the template check box, select Enabled, and then click OK.
14.	Close the Group Policy Object Editor, click OK to close your domain's properties dialog box, and then exit Active Directory Users and Computers.

Verifying New Settings

Use the following procedure to verify that the appropriate password policy settings are applied and effective in the Domain Policy GPO. Verifying the settings and their operation ensures that the correct password policies will be applied to all users in the domain.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Tools: Active Directory Users and Computers.

•

To verify password policy settings for an Active Directory domain

1.	Open Active Directory Users and Computers, right-click your domain, and then click Properties.
2.	In your properties dialog box for your domain, click the Group Policy tab, select the Domain Policy GPO, and then click Edit to open the Group Policy Object Editor.
3.	Under Computer Configuration, go to the Windows Settings\Security Settings\Account Policies\Password Policy folder, and verify that your settings match the settings shown here:
4.	Close the Group Policy Object Editor, click OK to close the properties dialog box for your domain, and then exit Active Directory Users and Computers.
5.	Verify that users cannot specify passwords that are shorter than 8 characters, that they cannot create non-complex passwords, and that they cannot immediately change their new passwords.

Configuring Password Policy Settings on Stand-Alone Computers

•	Credentials: You must be logged on as a member of the Administrators group.
•	Tools: Local Security Policy.

•

To implement password policy on computer systems that do not belong to an Active Directory domain

1.	Click Start, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
2.	Navigate to the Account Policies\Password Policy folder.
3.	In the details pane, double-click Enforce password history, set the value of Keep password history to 24, and then click OK.
4.	In the details pane, double-click Maximum password age, set the value of Password will expire in to 42, and then click OK.
5.	In the details pane, double-click Minimum Password Age, set the value of Password can be changed after to 2, and then click OK.
6.	In the details pane, double-click Minimum Password Length, set the value of Password must be at least to 8, and then click OK.
7.	In the details pane, double-click Password must meet complexity requirements, select Enabled, and then click OK.
8.	Close Local Security Policy.

Verifying New Settings

Use the following procedure to verify that the appropriate password policy settings are configured and effective for the stand-alone computers in your organization. Verifying the settings and their operation ensures that the correct password policies will be applied to these computers.

Requirements

•

Credentials: You must be logged on as a member of the Administrators group.

•

Tools: Local Security Policy.

•

To verify password policy settings for computer systems that do not belong to an Active Directory domain

1.	Open Local Security Policy, navigate to the Account Policies\Password Policy folder, and verify your settings match the settings shown here:
2.	Close Local Security Policy.
3.	Verify that users cannot specify passwords that are shorter than 8 characters, that they cannot create non-complex passwords, and that they cannot immediately change their new passwords.

Top of page

Related Information

For more information about password policies and password-related features in Windows see the following:

•	"Selecting Secure Passwords" in the Security Guidance Kit
•	Account Passwords and Policies on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22208

Top of page

Enforcing Strong Password Usage Throughout Your Organization

On This Page

Introduction

Before You Begin

Identifying Settings Related to Password Policies

Understanding How the Windows Operating System Stores Password Policy Configuration Information

Implementing Password Policy Settings Step-by-Step

Configuring Password Policy Settings in an Active Directory-Based Domain

Verifying New Settings

Configuring Password Policy Settings on Stand-Alone Computers

Verifying New Settings

Related Information