Account Policies

Strong Account polices can help protect your machine against dictionary attacks. In a "dictionary attack", a hacker runs a program that tries to log in to your machine using a database (dictionary) of possible passwords.

Account polices can be set on the local computer, and also using Group Policy if your machine is a member of an Active Directory Domain. The following example shows the procedure for setting a computer's Local Policy, though the procedure for setting Account Policy using Group policy is similar.

To set Account Policy Settings:

1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Local Security Policy"

2.) Navigate to the "Password Policy" folder as shown in the figure.

password policy

3.) Double click on the items in the right pane to set them to the values shown in the figure above.

  • "Enforce Password history" prevents users from using the same passwords over and over again.

  • "Maximum Password Age" is the maximum amount of time that a user can use the same password.

  • "Minimum Password Age" is the minimum amount of time that a user must wait before they can change their password. This works in conjunction with the "Enforce Password history" policy, preventing a user from quickly changing their password many times in order to be able to use the same password again.

  • "Minimum Password length" is the minimum number of characters a password must have. Use AT LEAST 8 characters here. Remember that weak passwords are the easiest mechanism a hacker can use to break into your system.

  • "Passwords must meet complexity requirements" requires passwords to obey the following rules:
    • Passwords must be at least six (6) characters long.
    • Passwords must contain characters from at least three (3) of the following four (4) classes:
    English upper case letters (A, B, C, ... Z)
    English lower case letters (a, b, c, ... z)
    Westernized Arabic numerals (0, 1, 2, ... 9)
    Non-alphanumeric ("special characters") such as punctuation symbols
    Passwords may not contain your user name or any part of your full name.

4.) Next, set account lockout policy by navigating to the "Account Lockout Policy" as shown in the figure.

account lockout

In the figure above, if a user enters a password incorrectly 3 times ("Account Lockout Threshold"), their account will be locked out (disabled) for 60 minutes (the "Account lockout duration"). The system keeps a count of how many times a user has typed in an invalid password. After 60 minutes, this counter is reset ("Reset account lockout counter after").

If a hacker tries to guess passwords on your system, these mechanisms will temporarily disable the account the hacker is trying to break into, and prevent the hacker from further break-in attempts.

Note that these settings do not apply to the Administrator account. The Administrator account will never be locked out. This is why it is important to rename the Administrator account.