Home > Information Security Tips > Tech tips > Windows password security: System tools and policy
Security UK Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

TECH TIPS

Windows password security: System tools and policy


Davey Winder, Contributor
10.08.2008
Rating: --- (out of 5)


Security UK Tips and Expert Advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


This tip will be the first of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.

Back in part one of this series about Windows security strategy, we said that you should never, never leave a Windows password entry blank and always, always make it a strong one. That was good advice, and is worth repeating.

The importance of strong passwords is so often overlooked that it makes security professionals despair. Do not let your organisation fall into the trap of valuing simplicity over security.

Windows tools and password security policy
Windows comes complete with tools to ensure that all users are forced to remember the importance of strong passwords, and can actually prevent them from using anything but. The local security policy applet enables password policy options that require all passwords to meet complexity requirements. The relevant option in this case, oddly enough, is called 'Password must meet complexity requirements' and can be found in Windows 2000, Vista and Server 2008.

By meeting complexity requirements, it demands that all passwords must be at least six characters long and include at least three uppercase, lowercase, numerals and non-alphanumerics amongst them. The same policy applet allows an account-lockout threshold to prevent automated dictionary attacks or thwart persistent guessers, who might get lucky eventually. Set this low; a maximum threshold of four should be plenty to allow for drunken users and typos. While you are at it, set a m


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Tech tips
A review of Nmap scan options and timing templates
How to test a firewall with Nmap
Rootkit Hunter demo: Detect and remove Linux rootkits
Using Nmap to scan for open ports, updated servers and more
How to perform Nmap scans and port checks
Installation tips before beginning Nmap port scans
NAC and endpoint security: The hard questions
Securing Windows services to prevent hacker attacks
Windows security: Remote Desktop, hosts file and keyboard lock down
How to detect and remove rootkits with Windows encryption

User Password Security
How effective are password hack tools?
How to protect employees' personal information and passwords
Gartner: How to succeed at identity and access management
Identity management still eludes most companies
Understanding multifactor authentication features in IAM suites
Worst practices: Exposing IAM blunders
John Lewis dumps RSA tokens for phones
EU crypto project Suphice mired in red tape
How to prevent hackers from accessing your router security password
IBM releases simplified Tivoli Identity Manager

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


aximum password age of no more than 30 days and make the minimum character count eight for good measure.

How to create secure Windows passwords
Although everyone has, it seems, their own preferred method for creating 'strong' passwords, some work better in practice than others. There remains, however, a basic set of dos and don'ts that should always be applied:

Security by least privilege
If a password does get cracked, mimimise the risk by always ensuring that account authorisation is done on a 'least privilege' basis. Hackers love to get access to any account on a Windows machine or network because all too often this means they can escalate upwards through increasingly more privileged accounts and gain even more control.

To thwart the risk, restrict interactive login privileges, restrict access to critical system binaries (cmd.exe springs to mind here) for damage limitation, and restrict system booting to 'from hard disk only' to prevent physical privilege escalation. Windows XP SP2 users can add a Windows Registry key to access more powerful software restriction policies with levels including 'restricted' and 'untrusted.' Obviously all Windows Registry hacking is done entirely at your own risk, and backups are essential, but the key to add to HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers is:

Levels"=dword:00031000

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.co.UK.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



UK Data Security Solutions: Data Privacy, Identity Theft, Data Loss
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts