Creating a Strong Password Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Given enough encrypted data, time, and computing power, attackers can compromise almost any cryptographic system. You can prevent such attackers from succeeding by making the task of cracking the password as difficult as possible. Two key strategies to accomplish this are to require users to set complex passwords and to require users to change their passwords periodically, so that attackers do not have sufficient time to crack the complex encryption code.

Complex Passwords

You should set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.

In this way, when users submit a new password, the password policy determines whether the password meets established requirements. You can set more complex password requirements; however, such password policies can increase costs to the organization if they obligate users to select passwords that are difficult to remember. Users might be forced to call the help desk if they forget their passwords, or they might write down their passwords, thus making them vulnerable to discovery. For this reason, when you establish password policies, you need to balance the need for strong security against the need to make the password policy easy for users to follow.

Older Client Operating Systems

Versions of the operating system earlier than Windows Server 2003 cannot handle passwords that contain more than 14 characters. For example:

  • Attempts to log on to a Windows 2000–based computer running Terminal Services by using automatic logon settings configured in Client Connection Manager fail if your password is more than 14 characters long. Client Connection Manager has a 14-character limitation for passwords used for automatic logon. To work around this problem, you must manually enter a password to be used for the connection when prompted. You can prevent this by modifying the password used in Client Connection Manager and on your domain to be no more than 14 characters long.

  • In the Microsoft Windows NT 3.51 operating system, Run.exe allows users to start utilities. When users start utilities, they can specify a user account and password to be used to start the application. When the password parameter is used, Run.exe stores the values in buffers limited to 14 characters. Passwords longer than 14 characters are truncated for storage and then passed to domain controllers in truncated form, causing authentication failures.

You can solve many of these problems by applying the latest service packs for operating systems. If your organization includes client computers running versions of the operating system earlier than Windows Server 2003 that do not support longer passwords, be sure to account for this when you set your password policies.

Selecting Password Policy Options

Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 provide security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default Domain Group Policy object. These policies are enforced on all user accounts in a domain.

Enforce password history

This policy setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. This feature enables administrators to enhance security by preventing users from reusing their old password continually. The default value on domain controllers is 24, and the default value on stand-alone servers is 0. Most IT departments choose a value greater than 10.

Maximum password age

This policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. The best defense against impersonation is to require that users change their passwords regularly. This reduces the amount of time available for attackers to crack unknown passwords. The maximum password age can be set between 1 and 999 days. The default value of 42 days is generally appropriate; however, some IT departments shorten this to 30 days. To specify that passwords never expire, set this value to 0.

Minimum password age

This policy setting determines the number of days that must pass before a user can change his or her password. Defining a minimum password age prevents users from circumventing the password history policy by defining multiple passwords in rapid succession until they can use their old password again. The default value on domain controllers is 1, and the default value on stand-alone servers is 0. A value of a few days discourages rapid password recycling while still permitting users to change their own passwords if desired.

If you enable the Enforce password history policy setting, the minimum password age must be configured to a value greater than 0.

If Maximum password age is set between 1 and 999 days, Minimum password age must be less than Maximum password age. If Maximum password age is set to 0, Minimum password age can be any value between 0 and 998 days.

Note

Setting this parameter to a value higher than Maximum password age forces users to call the IT department to change their passwords, which increases costs to the organization.

Minimum password length

The policy setting determines the minimum number of characters that a user's password must contain. You can set a value between 1 and 14 characters. To specify that no password is required, set the value to 0. The default value on domain controllers is 7, and the default value on stand-alone servers is 0.

Passwords must meet complexity requirements

This policy setting determines whether new passwords must meet complexity requirements. If this policy setting is enabled, passwords must meet the following minimum requirements:

  • Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.

  • Passwords must be at least six characters in length or the number of characters specified in the Minimum password length policy setting.

  • Passwords must contain characters from at least three of the following four categories:

    • English uppercase alphabet characters (A–Z)

    • English lowercase alphabet characters (a–z)

    • Base 10 digits (0–9)

    • Non-alphanumeric characters (for example, !$#,%)

This policy setting is enabled by default on domain controllers and disabled by default on stand-alone servers.

Store passwords using reversible encryption

This policy setting determines whether the operating system stores passwords by using reversible encryption. It also provides support for applications that use protocols that require knowledge of user's password for authentication purposes.

Important

Storing passwords by using reversible encryption is the same as storing plaintext versions of the passwords. For this reason, this policy should not be enabled unless application requirements outweigh the need to protect password information.

This policy setting must be enabled when using:

  • Challenge Handshake Authentication Protocol (CHAP) authentication through remote access

  • Internet Authentication Service (IAS)

  • Digest authentication in Internet Information Services (IIS).

This policy setting is disabled by default.