Lesson 1:?Configuring Account Policies
In Chapter 3, "Setting Up and Managing User Accounts," you learned about assigning user account passwords and how to unlock an account that was locked by the system. In this lesson, you learn how to improve the security of your user's passwords and how to control when the system locks out a user account.
After this lesson, you will be able to
- Configure Account Policies
Estimated lesson time: 40 minutes
Configuring Password Policy
Password Policy allows you to improve security on your computer by controlling how passwords are created and managed. You can specify the maximum length of time a password can be used before the user must change it. Changing passwords decreases the chances of an unauthorized person breaking into your computer. If an unauthorized user has discovered a user account and password combination for your computer, forcing users to change passwords regularly will cause the user account and password combination to eventually fail and lock the unauthorized user out of the system.
Other Password Policy options are available to improve a computer's security. For example, you can specify a minimum password length. The longer the password, the more difficult it is to discover. Another example is maintaining a history of the passwords used. This prevents a user from having two passwords and alternating between them.
You can configure Password Policy on a computer running Windows XP Professional by using the Group Policy snap-in. You use the Group Policy snap-in to configure Password Policy as follows:
- Click Start, and then click Run.
- Type mmc in the Open text box, and click OK to open an empty custom MMC console.
- On the File menu, click Add/Remove Snap-In, and then click Add.
- In the Add Standalone Snap-In dialog box, click Group Policy and then click Add.
The Select Group Policy Object dialog box appears, allowing you to point the Group Policy snap-in at the local computer or at a remote computer. The Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line check box allows you to configure the MMC so that you can decide which computer to use Group Policy on when you start the MMC.
- Click Finish to leave Group Policy with its focus on the Local Computer, the default setting, and click Close to exit the Add Standalone Snap-In dialog box.
- In the Add/Remove Snap-In dialog box, click OK, and save the console with Local Group Policy.
- Expand Local Computer Policy, under Computer Configuration expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy.
- Select the settings you want to configure, and then on the Action menu, click Properties.
The console displays the current Password Policy settings in the details pane, as shown in Figure 13.1.
Figure 13.1??The Group Policy snap-in displaying Password Policy settings
Table 13.1 explains the available Password Policy settings.
Table 13.1??Password Policy Settings
The MMC Console displays the properties dialog box for the selected setting. Figure 13.2 shows the properties dialog box for the Maximum Password Age setting.
Figure 13.2??The Maximum Password Age Properties dialog box
By carefully planning and configuring your Password Policy settings you can improve the security of your computer by decreasing the chances of an unauthorized user gaining access to it.
Configuring Account Lockout Policy
The Account Lockout Policy settings also allow you to improve the security on your computer. If no account lockout policy is in place, an unauthorized user can repeatedly try to break into your computer. If, however, you have set an account lockout policy, the system locks out the user account under the conditions you specify in Account Lockout Policy.
You access the Account Lockout Policy settings using the Group Policy snap-in, just as you did to configure the Password Policy settings. The console displaying the current Account Lockout Policy settings in the details pane is shown in Figure 13.3.
Figure 13.3??The Group Policy snap-in displaying the Account Lockout Policy settings
Table 13.2 explains the settings available in Account Lockout Policy.
Table 13.2??Account Lockout Policy Settings
Practice:?Configuring Account Policy
In this practice you configure the Account Policy settings for your computer and then test them to make sure you set them correctly.
Run the AccountPolicy file in the Demos folder on the CD-ROM accompanying this book for a demonstration of configuring account policy.
Exercise 1: Configuring Minimum Password Length
In this exercise, you use the custom MMC console containing the Group Policy snap-in you created in Chapter 12, "Auditing Resources and Events," and saved with the name Local Group Policy. You use it to configure the minimum password length, one of the Account Policy settings for your computer. You then test the minimum password length to confirm it was correctly configured.
To configure the minimum password length
- Log on as Fred or with an account that is a member of the Administrators group.
- Click Start, click Run, type mmc in the Open text box, and click OK to open the MMC console.
- On the File menu, click Local Group Policy.
The MMC console opens the Local Group Policy console you created in Chapter 12, "Auditing Resources and Events." If you have not created the Local Group Policy console, see the first practice in that chapter for the steps to create it.
- In the Local Group Policy console, expand Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\and then Account Policies.
Account Policies has two nodes: Password Policy and Account Lockout Policy.
- In the console tree, click Password Policy.
- In the details pane, right-click Minimum Password Length and then click Properties.
Windows XP Professional displays the Minimum Password Length Properties dialog box.
- In the Password Must Be At Least text box, type 8 to set the minimum password length to eight characters, and then click OK.
- Click File and then click Exit to close the MMC console.
- When prompted to Save Console Settings To Local Group Policy, click No.
To test minimum password length
- Click Start and then click Control Panel.
- Click User Accounts and then click Create A New Account.
- In the Type A Name For The New Account text box, type User13 and then click Next.
- Click Limited and then click Create Account.
- Click User13 and then click Change The Password.
- In the Type A New Password and the Type The New Password Again To Confirm text boxes, type water.
- Click Change Password.
A User Accounts message box appears, indicating that your new password does not meet the password policy requirements. This test proves that you correctly configured the minimum password length account policy to eight characters.
- Click OK to close the User Accounts message box.
- Click Cancel to close the Change User13's Password window.
- Close the What Do You Want To Change About User13's Account window, and then close Control Panel.
Exercise 2: Configuring and Testing Additional Account Policy Settings
In this exercise, you configure and test some additional Account Policy settings.
To configure Account Policy settings
- Use the Local Group Policy custom MMC console you created to configure the following Account Policy settings:
- A user should have at least five different passwords before using a previously used password.
- After changing a password, a user must wait 24 hours before he or she can change it again.
- A user should change his or her password every 3 weeks.
What settings did you use for each of the three listed items?
- Close the Local Group Policy custom MMC console.
To test Account Policy settings
- Log on as User13 with no password.
Windows XP Professional displays a Logon Message message box indicating that you must change your password at first logon.
- Click OK to close the message box.
- Press Tab to move to the New Password text box and leave the Old Password text box blank.
- In the New Password and Confirm New Password text boxes, type hotwater and then click OK.
Windows XP Professional displays a Change Password message box indicating that your password was successfully changed.
- Click OK to close the Change Password message box.
- Click Start and then click Control Panel.
- Click User Accounts and then click Change My Password.
- In the Type Your Current Password text box, type hotwater.
- In the Type A New Password and Type The New Password Again To Confirm text boxes, type chocolate.
- Click Change Password.
Were you successful? Why or why not?
- Close any open message boxes and windows and log off.
Exercise 3: Configuring Account Lockout Policy
In this exercise, you configure Account Lockout Policy settings and then test them to make sure they are set up correctly.
To configure Account Lockout Policy settings
- Log on to your computer as Fred or with a user account that is a member of the Administrators group.
- Click Start and click Run.
- In the Open text box, type mmc, and then press Enter.
- Open the Local Group Policy custom MMC console you created.
- In the Local Group Policy console tree, double-click Account Policies.
- Click Account Lockout Policy.
- Use Account Lockout Policy settings to do the following:
- Lock out a user account after four failed logon attempts.
- Lock out user accounts until an administrator unlocks the user account.
If a Suggested Value Changes dialog box appears, click OK and then verify that your settings are correct.
What Account Lockout Policy settings did you use for each of the two conditions?
- Log off Windows XP Professional.
To test Account Lockout Policy settings
- Try to log on as User13 with a password of chocolate four times.
- Try to log on as User13 with a password of chocolate again and a dialog box appears, indicating that the account is locked out.
- Click OK and then log on as Fred or as a user that is a member of the Administrators group.
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."
- What tool does Microsoft Windows XP Professional provide for you to configure Password Policy?
- What is the range of values Windows XP Professional allows you to set for the Enforce Password History setting and what do those values mean?
- The range of values Windows XP Professional allows you to set for the Maximum Password Age setting is ______ to ______ days. The default value is ______ days.
- Which of the following selections are requirements for a password if the Passwords Must Meet Complexity Requirements setting is enabled? (Choose all that apply.)
- All passwords must exceed the specified minimum password length.
- All passwords must comply with the password history settings.
- No passwords can contain capitals or punctuation.
- No passwords can contain the user's account or full name.
- What is Account Lockout Duration and what is the range of values?
- The Group Policy snap-in allows you to improve the security on your computer by making it more difficult for an unauthorized user to gain access.
- Password Policy allows you to manage the passwords used on your computer. For example, you can force users to change passwords on a regular basis and you can control the minimum length of a password.
- The Enforce Password History setting allows you to set the number of passwords to be kept in a password history. The default value of 0 indicates that no password history is being kept.
- If the Passwords Must Meet Complexity Requirements setting is enabled, all passwords must meet or exceed the specified minimum password length; must comply with the password history settings; must contain capitals, numerals, or punctuation; and cannot contain the user's account or full name.
- Account Lockout Policy allows you determine the number of invalid logon attempts before a user account is locked out of the computer.