|
| Active Directory Account Standards- General User |
| | | |
| | 1. | Enforce password history |
 |
| | 2. | Maximum password age |
|
| | 3. | Minimum password age |
|
| | 4. | Minimum Password Length |
|
| | 5. | Password Complexity Requirements |
|
| | 6.
| Store password using reversible encryption for all users in the domain |
|
| | 7. | User must log on to change password |
|
| | 8. | Account lockout threshold |
|
| | 9. | Account lockout duration |
|
| | 10. | Reset account lockout counter after |
|
| | 11. | Automatic Login |
|
| | 12. | Last logon Information |
|
| | 13. | Logon Ctrl-Alt-Del |
| | | |
|
| 1. Enforce password history |
| | Description: Determines the number of unique new passwords that have to be associated with a user account before an old password can be reused.
The value must be between 0 and 24 passwords. Tufts Active Directory Account Standard is 24.
Objective: The intent of this policy is to enable administrators to enhance security by ensuring that old passwords are not continually reused. |
|
| 2. Maximum password age |
| | Description: Determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0.
Tufts Active Directory Account Standard is 180 days. * 14 days prior, user will start to receive expiration notices. Maximum password age is set to 180 days by domain policy and cannot be changed.
Objective: To ensure the password is changed in a timely manner. |
|
| 3. Minimum password age |
| | Description: Determines the period of time (in days) that a password must be used before the user can change it. You can set values between 1 and 999 days, or you can allow changes immediately by setting the number of days to 0.
Tufts LAN Account Standard is 0
Objective: To ensure the passwords can be changed immediately for convenience and to enhance security. |
|
| 4. Minimum Password Length |
| | Description: Determines the least number of characters a user account's password may contain. You can set values between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
Tufts Active Directory Account Standard is 8 characters
Objective: To ensure the password security. |
|
| 5. Password Complexity Requirements |
| | Description: Determines the least number of characters a user account's password may contain. You can set values between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
If this policy is enabled, then passwords must meet the minimum requirements described in the Notes section.
Tufts Active Directory Account Standard is ENABLED
|
| |
| Does not contain all or part of the user's account name (ex: jsmith01) |
|
| |
| Does not contain all or part of the user's full name |
|
| |
| Is at least EIGHT characters in length |
|
| |
| Contains characters from ALL of the following four categories: |
| | |
| English upper case characters (A..Z) |
| | |
| English lower case characters (a..z) |
| | |
| Base 10 digits (0..9) |
| | |
| Non-alphanumeric (ex: !,$#,%) |
|
| |
| Cannot use words such as:
Password, Passwrd, Change, Temporary, Tufts, Student, Welcome |
|
| |
| Cannot use for or more repeating characters. |
| | |
| Example: 1111; AAAA; tttt; !!!! |
| | Complexity requirements are enforced upon password change or creation.
Objective: To ensure the password security |
|
| 6. Store password using reversible encryption for all users in the domain. |
| | Description: Determines whether Windows 2000 will store passwords using reversible encryption.
Tufts Active Directory Account Standard is DISABLED
The intent of this policy is to provide support for applications which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
Objective: Currently there is no enterprise application that outweighs the need to protect password information. |
|
| 7. User must log on to change password |
| | Description: Determines whether users have to log on before they can change their password.
Tufts Active Directory Account Standard is ENABLED
Objective: If this policy is enabled, then users have to log on before changing their password. Thus, if a user's password expires, the user will not be able to change the expired password, but must instead have an administrator reset the password. |
|
| 8. Account lockout threshold |
| | Description: Determines the number of failed logon attempts that will cause a user account to be locked out. A locked out account cannot be used until it is reset by an administrator or the account lockout duration has expired. You can set values between 1 and 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0.
Tufts Active Directory Account Standard is 10
NOTE: Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers do not count as failed logon attempts.
Objective: Users can have 5 mistakes before lockout. |
|
| 9. Account lockout duration |
| | Description: Determines the number of minutes a locked out account remains locked out before automatically becoming unlocked. The range is 1 to 99999 minutes. You can specify that the account will be locked out until an administrator explicitly unlocks it by setting the value to 0.
Tufts Active Directory Account Standard is 30 minutes
Objective: Users will be locked out for 30 minutes. |
|
| 10. Reset account lockout counter after |
| | Description: Determines the number of minutes that must elapse after a failed logon attempt before the bad logon attempt counter is reset to 0 bad logons. The range is 1 to 99999 minutes.
Tufts Active Directory Account Standard is 15 minutes
Objective: To reset bad account log on counter after a period of time. This is to prevent occasional errors at log on from locking out an account. |
|
| 11. Automatic Login - Registry edit |
| | Description: User can set the PC to login without having to enter a password
Tufts Active Directory Account Standard is DISABLED
Objective: To prevent unauthorized access to the Tufts Domain |
|
| 12. Do not display last user name in logon screen |
| | Description: Determines whether the name of the last user to logon to the computer is displayed in the Windows logon screen
Tufts Active Directory Account Standard is ENABLED-Won't be displayed
Objective: To ensure security. |
|
| 13. Disable CTRL+ALT+DEL requirement for logon |
| | Description: Determines whether pressing CTRL+ALT+DEL is required before a user can log on.
Tufts Active Directory Account Standard is DISABLED.
Objective: To ensure security. Not having to press CTRL+ALT+DEL leaves the user susceptible to attacks that attempt to intercept the user's password. Requiring CTRL+ALT+DEL before login ensures that the user is communicating by means of a trusted path when entering their password.
NOTE: This policy is disabled by default on workstations and servers that are joined to a domain. |
|
