Copyright notice: All information on this page are based on the recommendations made in the "Microsoft Windows Server 2003 Security Guide" at http://go.microsoft.com/fwlink/?LinkId=14845
Password Policy Settings
The following table includes the password policy setting recommendations for all three environments that are defined in this guide. You can configure the password policy settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Additional information for each setting is provided in the subsections that follow the table.
| Setting | Legacy Client | Enterprise Client | Specialized Security – Limited Functionality |
|---|---|---|---|
| Enforce password history | 24 passwords remembered | 24 passwords remembered | 24 passwords remembered |
| Maximum password age | 42 days | 42 days | 42 days |
| Minimum password age | 1 day | 1 day | 1 day |
| Minimum password length | 8 characters | 8 characters | 12 characters |
| Password must meet complexity requirements | Enabled | Enabled | Enabled |
| Store password using reversible encryption | Disabled | Disabled | Disabled |
Account Lockout Policy Settings
The following table summarizes the recommended account lockout policy settings. You can use the Group Policy Object Editor to configure these settings in the Domain Group Policy at the following location:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
Additional information for each setting is provided in the subsections that follow the table.
| Setting | Legacy Client | Enterprise Client | Specialized Security – Limited Functionality |
|---|---|---|---|
| Account lockout duration | 30 minutes | 30 minutes | 15 minutes |
| Account lockout threshold | 50 invalid login attempts | 50 invalid login attempts | 10 invalid login attempts |
| Reset account lockout counter after | 30 minutes | 30 minutes | 15 minutes |
Kerberos Policies
Kerberos policies are used for domain user accounts. These policies determine settings that relate to the Kerberos version 5 authentication protocol, such as ticket lifetimes and enforcement. Kerberos policies do not exist in the local computer policy. If you reduce the lifetime of Kerberos tickets, the risk of an attacker who attempts to steal passwords to impersonate legitimate user accounts is decreased. However, the need to maintain these policies increases the authorization overhead.
In most environments, the default values for these policies should not be changed.
Security Options Settings
The three different types of account policies that are discussed earlier in this chapter are defined at the domain level and are enforced by all of the domain controllers in the domain. A domain controller always obtains the account policy from the Default Domain Policy GPO, even if there is a different account policy applied to the OU that contains the domain controller.
There are three security options settings that are similar to account policies. You should apply these settings at the level of the entire domain and not within individual OUs. You can configure these settings in the Group Policy Object Editor at the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The following table summarizes the recommended security options settings.
| Setting | Legacy Client | Enterprise Client | Specialized Security – Limited Functionality |
|---|---|---|---|
| Microsoft network server: Disconnect clients when logon hours expire | Enabled | Enabled | Enabled |
| Network Access: Allow anonymous SID/NAME translation | Disabled | Disabled | Disabled |
| Network Security: Force Logoff when Logon Hours expire | Enabled | Enabled | Enabled |