Setting default domain password policy

 

Every domain environment needs a default domain password policy.

You have it, am I right?

Even if you don’t know, default password policy is available in your domain. By default, you will find all its settings within “Default Domain Policy“. This policy is applied at domain level.

Default Domain Policy

Default Domain Policy

To start with domain password policy, please read the article I published some time ago: Domain Password Policy

The question is: did you review password policy settings and considered password requirements for your environment?

Or just like the most administrators: “Hey, I was hired to this company much more later when password policy was in-place. I did not need to touch it!

Oh really?! Do you know that you (as a domain administrator) are responsible for password security? Yes, you are! So, let’s take closer look at those settings and what you can configure as reasonable default password policy.

Β Default password settings

When you deploy new domain, you don’t have to configure password policy from the scratch. There are default values set up.

Default password settings

Default password settings

Of course, password settings should be adjusted to your company needs. Leaving the defaults might not be appropriate and I would strongly recommend to do that.

Let’s see what we can configure there. You will find password policies in two nodes under

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies

These nodes are:

  • Password Policy
  • Account Lockout Policy

In Password Policy node you can configure:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
  • Store passwords using reversible encryption

and in Account Lockout Policy node are these options:

  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after

Above options are responsible for building good password policy – default domain password policy.

Let’s see what they mean and what you can set up there.

Password Policy settings

This is really important node where you can define how the password would be built and how much secure it is. You need to remember that you are setting default password policy for your domain. All those settings will be applied to every domain account.

Password Policy settings

Password Policy settings

Remember! Users may complain about password setting but only then if you will force them to use very long passwords and if it will expire to often.

Enforce password history

To start building password policy you need to consider how many unique passwords user must set, before it would be possible to go back and use the oldest one.

For that “Enforce password history” setting is responsible. You need to define value, how many unique passwords are required to be set by user, before allowing him to use previous passwords.

Enforce password history explanation

Enforce password history explanation

Allowed value is between 0 (no password history) and 24 (maximum)

For default domain password policy I would suggest to set value of 10.

Changed enforce password history setting

Changed enforce password history setting

This is quite secure and allow much more simple calculation for other setting showed a little bit later in this article.

In this case, the setting means that user must set 10 unique passwords before he can go back and use first from the previous list of passwords.

There is slight chance that user would not reuse his passwords πŸ™‚

Maximum password age

Another important setting in the policy is how often users must change their password.

Maximum password age explanation

Maximum password age explanation

Maximum password age value must be between 0 and 998 days.

Setting value of 0 causes that password expires every 0 days! That means in reality – password never expires

You definitively should avoid of using this value in productive environments! Especially that this is not easy to find out, because password never expires flag is not modified and you cannot see this directly in Active Directory Users and Computers console. Password never expires checkbox is NOTΒ selected then!

Note! Good practice shows that password should be changed in range of 30 – 90 days.

When you set this value up too short, users would complain that they have to change password too often. This might cause a problem with “yellow sticks” around computer where users write their passwords!

For default domain password policy 90 days look reasonable and users are not complaining too much.

Maximum password age setting

Maximum password age setting

I would recommend of setting this value for the maximum password age. Password change once per 3 months is acceptable and no one should complain.

Minimum password age

This is really important setting and as I can see many administrators are afraid of setting this value to custom time.

Information! Minimum password age policy is responsible for controlling how often user is allowed to change the password.

Mostly, in the environments I see one of these two values:

  • 0 days
  • 1 day

By the default, you can find 1 day as minimum password age setting.

This means that user can change the password and in if he wants to do that again, he needs to wait 1 day before it would be possible again.

Minimum password age explanation

Minimum password age explanation

OK, but what’s wrong in this setting?

User is allowed to change the password once per day. That means, user can repeat this procedure every day to go back to his first (favourite) password.

At current stage, you defined 10 unique passwords, so after 10 days, user would be able to reuse his previous password again and use it for the next 80 days until system will force its change!

The situation looks even worse if the setting contains 0 days as a value.

There is no restriction to password change time limit for user! This means, user can simply go back to the previous password within the same day!

Setting strength options in other policies does not make sense as you can see, user would be able to have always the same password, all the time.

That’s why this setting is really important!

So, how should I set up this value?

I was wondering how to adjust this value in different environments and I figured it out.

I invented a formula to calculate appropriate value. Because password policies vary in every environment, I needed some common way to achieve this.

To simply calculate this value I used:

  • Enforce password history count
  • Maximum password age
Minumum password age formula

Minumum password age formula

This is really secure and reasonable value. You may be sure that user would not be able to reuse the first password during one password life cycle.

Hey, but users start complaining that they cannot change password on demand!

No, they would not! Believe me πŸ™‚

The number of regular users, who are changing their passwords before forced by the system, is less than 1% in every environment.

Even administrator would not do that themselves πŸ˜€

Besides, they are allowed to change their password, but not every day.

That would help you to find out what is going on in your domain when some users will call IT department or HelpDesk too frequenty and request password change. Maybe an account is shared between other users? πŸ™‚

Relying on this formula Minimum password age value is 10 days

Minimum password age

Minimum password age

and put calculated minimum password age into policy

Minimum password age setting

Minimum password age setting

Minimum password length

Ok, password life cycle is defined but we need to set up its length. You know that above settings would be nothing if you allow to use too simple password, rigth?

The setting should be chose wisely as enforcing users to set very long password might cause an issue with forgoten passwords or account lockouts. Sometimes it might be worse, they would use “yellow sticks” where password is written.

Possible values for this setting are between 1 and 14 characters.

Minimum password length explanation

Minimum password length explanation

When you set this up to 0 characters then password would not be required. Of course this is strongly not recommended!

Setting it between 8 -12 charactes is good enough and no one should complain.

Minimum password length setting

Minimum password length setting

Password must meet complexity requirements

Another important password policy setting.

If you do not use this option, your password policy would be weak.

Thanks to this setting you have to use 3 types of different characters out of 4 groups:

  • uppercase characters [A – Z]
  • lowercase characters [a – z ]
  • digits [0 – 9]
  • special characters [!@#$%^&*()-=_+]

This policy may be enabled or disabled. When it’s enabled, password is much more secure and of course I would recommend to have it enabled.

Password must meet complexity requirements explanation

Password must meet complexity requirements explanation

Store passwords using reversible encryption

That setting should never be enabled in default domain password policy unless you really need it and you have Windows Server 2000/2003 Domain Functional Level where Fine-Grained Password Policies are unavailable.

Enabling this setting causes that password is unsafe as it is stored like it would be saved in plain text!

Store passwords using reversible encryption explanation

Store passwords using reversible encryption explanation

That’s all about defined password policy strength.

Now it’s time to configure policies responisble for account lockout behavior.

Account Lockout Policy settings

Policies located under this node are responsible for locking account if user types password incorrectly few times in a row.

By default, they are unconfigured and account is not locking at all!

So, if this is not configured should I take care of it? If you are asking me – yes, always!

This should be configured in every domain environment. Even if you think that it is not necessary, turn it on.

Just set up Account lockout threshold value to something really high like 50. That’s quite enough failed logon attempts for users and still prevents infinite password guess by hackers or other dangerous stuff.

Let’s take a look at those policies and try to configure them reasonably.

Account lockout threshold

As mentioned above, if you think that you do not need this policy, turn it on and specify high number like 50 attempts

That’s quite enough failed logon attempts for users and still prevents infitite password guess by hackers or other dangerous stuff.

Account lockout threshold explanation

Account lockout threshold explanation

In other case when you would like to implement this feature in your environment, please follow below formula

Account lockout threshold formula

Account lockout threshold formula

This would allow your users to check every password used in the past and gives them extra 2 tries if some typo would appear in the password box. After that they will call IT or HelpDesk team πŸ™‚

Based on that formula, current value is 12 failed logon attempts before account is locked out

Account lockout threshold value

Account lockout threshold value

Just set this up in the policy and 2 other option would activate

Account lockout threshold setting

Account lockout threshold setting

When you apply changes, another windows with 2 other settings appear filled with deafult values

Account lockout options

Account lockout options

Account lockout duration

Account lockout duration policy is responsible for locking a domain account for specified duration of time. When failed attempt logon count is reached, this policy locks temporarily the account.

When specified time passes, the account is unlocked and user may try to logon again using his credentials. To logon sooner, user needs to contact with IT or HelpDesk department and request manual account unlock.

Account lockout duration time explanation

Account lockout duration time explanation

Default value for this policy is reasonable. 30 minutes of account lockout is acceptable, after that time user is able to try to logon again.

If you need much more control when account is locked out, set up 0 as a value. Then account must be always unlocked by administrator.

Reset account lockout counter after

This setting must be less or equal to Account lockout duration time. It defines after what time failed logon attempt is reset and user may try to logon once again.

The setting gives user one more chance and if password is provided inproperly, account is locked out again for time specified in Accout lockout duration policy.

Reset account lockout counter after explanation

Reset account lockout counter after explanation

I would strongly recommend leaving the value with the same time as in Account lockout duration. Then users would not try to experiment with their password and do not extend lockout period.

When you implement all those setting in your password policy, take a look at its summary

New password policy summary

New password policy summary

it looks much better and much more secure than the deafult one and maybe better than your previous policy πŸ™‚

Now, you need to only refresh password policy on your Domain Controllers and test if it is working fine for the next password change.

On Windows Server 2003, 2008 and 2008R2 open command line and type

gpudate /force
gpupdate /force

gpupdate /force

to start refreshing group policies

GPOs refreshed

GPOs refreshed

On Windows Server 2012 and 2012R2 use PowerShell cmd-let for that

Invoke-GPUpdate
Invoke-GPUpdate cmd-let

Invoke-GPUpdate cmd-let

to get the same result as above.

And that’s all. Your default domain password policy is wisely implemented.

If you wish to deploy other password policies for other group of users and you have at least Windows Server 2008 Domain Functional Level please read these articles on my blog how to do that.

Fine-Grained Password Policy in Windows Server 2008/2008R2

Fine-Grained Password Policy in Windows Server 2012/2012R2

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 responses to “Setting default domain password policy”

  1. pregunton says :

    How can I get those values and modified programmatically using C# and System.DirectoryServices.AccountManagement ?

     
    • iSiek says :

      Unfortunately, I cannot help you because I’m not a programmer, sorry.

      Regards,
      Krzysztof

       

Trackbacks / Pingbacks

  1. Best practices for securing Active Directory - 4sysops - October 2, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *