- Password complexity - to require capitalization, numbers or characters for user credentials
- Minimum password lengths - to require longer passwords
- Maximum password age - to require users to regularly change their passwords
- Account lockout threshold - to lock a user account after a defined number of failed logon attempts
- Account lockout duration - to set the amount of time a user account remains locked out after hitting the lockout threshold
Implementing these policies is a great step towards increasing cyber security protection.
Cyber Security: How to Implement IT Policies of Protection
Group Policy is a tool that can be used to control thousands of objects relating to user accounts, folder settings, software settings, control permissions, and much more. This post covers a few of the many options available related to the security of user accounts, password settings and access.
To modify the settings for any group policy object connect to a network domain controller. Search for Group Policy Management and select it to open. Expand the domain name. Group Policy objects can be modified through a new group policy by right-clicking on "Group Policy Objects" and selecting "New", or modifying the default policy by expanding Group Policy Objects, right-clicking on "Default Domain Policy" and clicking "Edit".
Password settings
In the Group Policy Management Editor window, navigate to the Password Policy object using this path: Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, Password Policy.
Password complexity
Account settings
In the Group Policy Management Editor window, navigate to the Password Policy object using this path: Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, Account Lockout Policy. NOTE: The policies below work cooperatively.
Account lockout threshold
To modify the settings for any group policy object connect to a network domain controller. Search for Group Policy Management and select it to open. Expand the domain name. Group Policy objects can be modified through a new group policy by right-clicking on "Group Policy Objects" and selecting "New", or modifying the default policy by expanding Group Policy Objects, right-clicking on "Default Domain Policy" and clicking "Edit".
Password settings
In the Group Policy Management Editor window, navigate to the Password Policy object using this path: Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, Password Policy.
Password complexity
- Double-click "Password must meet complexity requirements".
- On the Security Policy Setting tab, check the box to define the policy setting and click "Enable".
- This will require all passwords to meet at least 3 out of 4 items: upper case letter, lower case letter, number, special character.
- Click Apply and OK to save this setting.
- Double-click "Minimum password length".
- If necessary, on the Security Policy Setting tab, click the box next to "Define this policy setting".
- Use the up or down arrows to set minimum number of characters for user passwords.
- Click OK to save this setting.
- Double click "Maximum password age".
- If necessary, on the Security Policy Setting tab, click the box next to "Define this policy setting".
- Use the up or down arrows to set the maximum age of user passwords. Once the maximum number of days passes for any password, the user will be prompted to change their password the next time they logon to the network.
- Click Apply and OK to save this setting.
Account settings
In the Group Policy Management Editor window, navigate to the Password Policy object using this path: Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, Account Lockout Policy. NOTE: The policies below work cooperatively.
Account lockout threshold
- Double click "Account lockout threshold".
- If necessary, on the Security Policy Setting tab, click the box next to "Define this policy setting".
- Use the up or down arrows to set the number of invalid logon attempts that will lock the account. NOTE: Use caution setting this too low as users can become frustrated by being accidentally locked out. However, leaving this number too high can allow unauthorized people to use dictionary attacks or other nefarious attempts to try and hack user credentials. Try to find a setting that takes both of these items into consideration.
- Click Apply and OK to save the setting.
Account lockout duration
- Double click "Account lockout duration".
- If necessary, on the Security Policy Setting tab, click the box next to "Define this policy setting".
- Use the up and down arrows to define the period of time a user should be locked out of their account if they hit the lockout threshold.
- Click Apply and OK to save the setting.
Changes to group policy objects go into effect once they are saved. Changes will affect users upon the next reboot, login, or group policy update which occurs every 15 minutes for all users connected to the network. Remote users will get the updated policy once they reconnect their devices to the network as the group policy will be updated upon logon.
Cyber security is an important consideration for every business owner and IT professional. Using group policy objects allows for easy management of many cyber security settings. Increasing the security requirements can reduce the possibility that a user's credentials can be hacked while also managing how long a legitimate user could accidentally be locked out. There is often a fine balance between providing a high level of security and maintaining ease of functionality and it is best to thoroughly consider repercussions of both before implementation.
As always, using tools that provide centralized management is the easiest way to consistently and effectively administer settings for a network of users.
Cyber security is an important consideration for every business owner and IT professional. Using group policy objects allows for easy management of many cyber security settings. Increasing the security requirements can reduce the possibility that a user's credentials can be hacked while also managing how long a legitimate user could accidentally be locked out. There is often a fine balance between providing a high level of security and maintaining ease of functionality and it is best to thoroughly consider repercussions of both before implementation.
As always, using tools that provide centralized management is the easiest way to consistently and effectively administer settings for a network of users.
Enjoy this post? Subscribe to our Blog
No comments:
Post a Comment