subject: Password Policies Available For Windows Server 2003-based Networks [print this page] There are five password policies you can use in any Windows Server 2003 network:
The password policy that is part of the Account Policy of the Security Settings portion of the Group Policy object that is linked to the domain container. This policy
dictates the technical controls that will enforce a password policy for all domain
accounts.
Some security options and individual user account settings also provide technical
control.
The password policy that affects the accounts in the local database of the member
or stand-alone computers.
The written password policy. Some of this policy can be enforced with technical
The policy that is generally practiced at the organization. Ultimately, all policies
can affect the security of the information systems. Your job as a designer is to con
sider all these password policies not just those that can be technically
enforced and to design an appropriate password policy and controls.
Technical Controls for Password Policies and Their Limitations
One of the first steps in designing a strong password policy is to identify the technical controls available for password policies and to review their limitations. This section describes the technical controls for password policies, the security requirements for user account configuration and security options, and the limitations of technical controls. MCSE Exam
Technical Controls
The technical controls available for password policies have not changed in Windows Server 2003. Controls are located in the Group Policy Password Policy and are extended in the user's individual account. In addition, several security options restrict or extend the policy. The password policy is configured for the local account database in the local Group Policy, for local account databases in member computers in the Group Policy Object (GPO) linked to the container that holds the computer account, and for the entire domain user database in the GPO linked to the domain. GPO settings are located in the Windows Configuration, Security Settings, Account Policy, Password Policy container. Table 6-5 lists and defines the technical controls in the password policy.
Security Options Security options are located in the Windows Configuration, Security Settings, Local Policy, Security Options container. Table 6-7 provides information on relevant security options.
Accounts: Limit local account Enabled use of blank passwords to console logon only.
If an account does not have a password, it cannot be used to remotely log on to the computer.
If enabled, the domain controller will refuse all computer requests to change its password. Use this option to refuse all requests.
Prevents the computer from requesting that its account password be changed. Apply this option in an OU to prevent requests being made.
How often a computer will attempt to change its password. Use this request to set the number of days for the request.
