If the minimum password age is set to 0, users can change their passwords immediately. To prevent this, set a specific minimum age. Reasonable settings are from three to seven days. In this way you make sure that users are less inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to.
Note: Keep in mind that a minimum password age could prevent a user from changing a compromised password. Minimum Password Length This sets the minimum number of characters for a password. The default in some cases is to allow empty passwords passwords with zero characters , which is definitely not a good idea. If you want greater security, set the minimum password length to 14 characters. Passwords Must Meet Complexity Requirements Beyond the basic password and account policies, Windows Server R2 includes facilities for creating additional password controls.
These facilities enforce the use of secure passwords that follow these guidelines:. The only time you would want to change this setting is when your organization uses applications that need to read the password.
But with this policy enabled, passwords might as well be stored as plain text—it presents the same security risks. Actually, users feel more comfortable if they can write down their passwords and are more likely to create more complex passwords. The written password should be stored in a secure location that is kept under lock and key, as in a safe.
To help implement a strong password policy, Windows Server provides a feature known as Password Complexity. Password Complexity requires passwords that:. Use Group Policy. The following table describes the Group Policy settings that you can use to implement a strong password policy. Enforce password history.
To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy except Kerberos settings in addition to account lockout settings.
When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies.
Uppercase letters of European languages A through Z, with diacritic marks, Greek and Cyrillic characters. Lowercase letters of European languages a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. The rules that are included in the Windows Server password complexity requirements are part of Passfilt.
Enabling the default Passfilt. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve. Additional settings that can be included in a custom Passfilt.
Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.
Set Passwords must meet complexity requirements to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least ,,,, different possibilities for a single password.
This makes a brute force attack difficult, but still not impossible.
0コメント