- Microsoft Exam MD:100 Windows 10 Certification Guide
- Jeroen Burgerhout
- 1002字
- 2021-06-30 14:48:08
Implementing account policies
In the previous section, you learned how you could open the Local Security Editor to configure Local Policies to the user or computer. In the Local Security Editor, you can also configure Account Policies within this Local Security Editor.
Important Note
These policies only work for local accounts and not for Microsoft accounts.
With the Account Policies, you can configure policies such as password policies and account lockout policies.
Configuring a Password Policy
If you want to ensure that all users on a local device use secure passwords and these are changed after several days, you can configure a Password Policy. Follow the next steps to configure a Password Policy:
- Click Start and type Secpol.msc.
- Click on Local Security Policy.
- In the Local Security Policy window, click on the Account Policies | Password Policy tab:
- We first double-click on Enforce password history.
- Change the value to a number that represents the number of unique passwords (that must be used before the user can reuse an old password) and click OK:
- Then, we go back to the Local Security Policy window and click on the Account Policies | Password Policy tab.
- Double-click on Maximum password age.
- The default setting is 42 days. This means that users are required to change their password after 42 days. The best practice for this setting is to set the days between 30 and 90 days. After you changed this setting, click OK:
- We again go back to the Local Security Policy window and then click on the Account Policies | Password Policy tab.
- Double-click on Minimum password age.
- The default setting is 0 days. This means that users can change their passwords whenever they want. My advice here is to change this setting to, for example, 7 days. After you change this setting, click OK:
- We again go back to the Local Security Policy window and click on the Account Policies | Password Policy tab.
- Double-click on Minimum password length.
- The default setting is 0 characters. To use a more secure password length, change this setting to 8 characters and click OK:
- Going back again to the Local Security Policy window, click on the Account Policies | Password Policy tab.
- Double-click on Password must meet complexity requirements.
- Change this setting to Enabled to meet the complexity requirements and click OK:
- We again go back to the Local Security Policy window and click on the Account Policies | Password Policy tab.
- The last setting you can configure is the Store passwords using reversible encryption setting. By default, this setting is Disabled. If you Enabled this setting, all of the passwords are stored in plaintext, so applications can access these passwords. But this makes them vulnerable to hackers who might access these passwords:
If you followed the previously mentioned steps to configure the Password Policy, then your policy editor window must look like the following screenshot:
These settings are applied immediately, but if there are already users logged on, then they can work further with their existing passwords. The next time a user needs to change their password, the new password must comply with the settings you have configured in the Password Policy.
If the Password must meet complexity requirements policy is Enabled, passwords must meet the following minimum requirements:
- They should not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- They should be at least six characters in length.
- They should contain characters from at least three of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), base 10 digits (0 through 9), and non-alphabetic characters (for example, !, $, #, %).
- Complexity requirements are enforced when passwords are changed or created.
In the previous steps, you have successfully configured a Password Policy. In the next section, you will learn to configure the Account Lockout Policy.
Configuring the Account Lockout Policy
When you implement a secure Password Policy, it is recommended to configure an Account Lockout Policy as well. An Account Lockout Policy is used by administrators to lock an account after several failed login attempts. This prevents malicious users from breaking into your computer systems. You can configure Windows devices to respond to this type of potential attack by disabling the account for some time.
Follow the next steps to configure an Account Lockout Policy:
- Click Start and type Secpol.msc.
- Click on Local Security Policy.
- In the Local Security Policy windows, click on the Account Policies | Account Lockout Policy tab.
- Double-click on Account lockout threshold.
- Fill in a value, for example, 4, and press OK:
- When the previous steps are completed, Windows 10 will suggest the two other settings: Account Lockout Duration and Reset account lockout counter after.
Account Lockout Duration determines the number of minutes that a locked-out account remains locked out for before automatically becoming unlocked.
Reset account lockout counter after determines the number of minutes that must elapse after a failed login attempt occurs before the failed login attempt counter is reset to 0 bad login attempts.
The following screenshot shows you the Suggested Value Changes window:
- Click OK to close the Suggested Value Changes window.
- Now the other two settings have the suggested values, the Account Lockout Policy will look something like the next screenshot:
In this section, you learned how to configure a Password Policy and an Account Lockout Policy. In the next section, we will learn how we can troubleshoot group policies.