Adjusting the password policy on SBS 2011 standard

Your users might hate the password policy on the server.


Now mind you I’m not saying that this is a bad thing…just that you may need to tweak the policy.   Especially if you opt for two factor authentication with www.authanvil.com where you can make the ‘normal’ password policy a little bit ‘dumber’ as the two factor means you are now smarter.


First one … the password policy. 


Launch the group policy management console



And in the default domain policy under Windows Settings\Security settings\Account policies/Password Policy here’s the policy.



If you want to make the password expiration LONGER than 180 days, right mouse click on the default domain policy



 


Expand Computer configuration
Policies
Windows Settings
Security settings
Account policies
Password Policy


Now edit the policy as you want for your clients/your office


==================


Enforce password history


This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.


This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.


Default:


24 on domain controllers.  SBS 2011 has this at 24


==============


Maximum password age


This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.


Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.


Default: 42.


SBS 2011 sets it for 180 days because the default of 42 drives you to drink.


=============


Minimum password age


This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.


The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.


Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.


SBS 2011 is set for 1 day but you may want to set this to 0 to allow for immediate changes.


=============


Minimum password length


This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.


Default:


7 on domain controllers.
0 on stand-alone servers.


Note: By default, member computers follow the configuration of their domain controllers.


SBS 2011 is set for 8.  Keep this.  Longer passphrases are a good thing.


===============


Password must meet complexity requirements


This security setting determines whether passwords must meet complexity requirements.


If this policy is enabled, passwords must meet the following minimum requirements:


Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.


 


Default:


Enabled on domain controllers.  Enabled on SBS 2011.  Leave this.  People need to stop using the word password as a password.


===============


Store passwords using reversible encryption


This security setting determines whether the operating system stores passwords using reversible encryption.


This policy provides support for applications that use protocols that require knowledge of the user’s password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.


This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).


Default: Disabled.  Disabled on SBS 2011

One Thought on “Adjusting the password policy on SBS 2011 standard

  1. I think that as with SBS 2008 we may apply different policies for different user groups (eg those who use authanvil and those who do not)
    I did an article showing how to do that here:
    http://translate.google.fr/translate?js=n&prev=_t&hl=fr&ie=UTF-8&layout=2&eotf=1&sl=fr&tl=en&u=http% 3A% 2F% 2Fblog% 2Fblog1.php 2Fgourle.com% 2F2010%% 2F03% 2F16% 2Fplusieurs-political-of-word-password & act = url

Post Navigation