As previously underscored, passwords represent one of the most basic areas of potential security vulnerability. Because password policies can minimize abuses, we highly recommend establishing them.
Domain Password Policies
Password lockdown is accomplished differently when working with domains and local system accounts. Password and account lockout policies should reflect the settings within the securews.inf (for secure workstations) and securedc.inf (for domain controllers) templates. Security templates are used to establish a standard set of policies that can be repeatedly used. For a quick visual inspection, the Security Template snap-in and Default Domain Policy snap-in can be used to rapidly compare template settings against those currently utilized, but a more in-depth comparison can be achieved with the Security Configuration and Analysis snap-in.
Password Lockout Policies
Password lockout policies minimize a hacker's ability to repeatedly attempt to discover a logon name and password. They should be liberal enough to permit a user with "sloppy" typing skills to make several attempts at a successful logon, but sufficiently tight to frustrate an attacker. There are three lockout policies:
Account Lockout Duration. This establishes the period of time the lockout will be enforced, after which the system is unlocked and new logon attempts will be recognized. A reasonable time is typically 30 minutes.
Account Lockout Threshold. This establishes the number of unsuccessful logon attempts that will be permitted prior to a lockout. Although there will always be an authorized user who will repeatedly fail, five attempts is a reasonable number.
Reset Lockout Counter. This resets the lockout attempt counter in the period designated. Again, 30 minutes is reasonable.
Determining Who Sets a Password
Windows 2000 configuration allows passwords to be established by either the end user or the system administrator. The system administrator typically selects the password when it is likely that the user's choice will be a weak one or if the sophistication of the end user may be minimal. The biggest problem with this scenario is that the system administrator is likely to create a password that is very difficult to remember, inclining the end user to write it down for easy reference. Although the intent is to strengthen security, the moment a password is written down, security is compromised.
The alternative approach is to have the end user set the password and enforce rules that make password creation very unique. Additionally, the user should be forced to change the password periodically.
One method of ensuring that the created password meets the level of complexity desired is by using password filters. A password may be filtered as suggested, but it must meet the complexity requirements policy. The password filter installed with Windows 2000 may be used, or a custom filter may be applied. Installation is accomplished by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Registry key and adding the *.dll file name to the string list. The *.dll filter should be placed in the %SYSTEMROOT%\SYSTEM32 folder.
In the next article, we continue our discussion of computer system security lockdown.