Group Policy Object
Objectives
Enforce password policy including password complexity, password expiration, account lockout.
Enforce Password Policy
I first opened Group Policy Management Console (GPMC), and then I navigated to
Default Domain Policy and selected edit.
The Default Domain Policy is where password policies are set because when enabled, it applies setting across all users in the domain.
Within Group Policy Management Editor, I navigated to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies> Password Policy.
This is my password policy settings:
Enforce password history: I set it to 10 to prevent reusing the old password.
Maximum password age: I set 60 days before it is required to change the password.
Minimum password age: I think 1 day is pretty good.
Minimum password length: 8 characters should be the minimum.
Password must meet complexity requirements: Enabled, the password should include a mix of uppercase and lowercase letters, numbers, and special characters.
Store password using reversible encryption: Disabled because this option allow the password to be decrypted, which pose a security risk.
Configuring Account Lockout Policy
Brute-force attacks are really common, and this policy should be configured to protect against the attacks.
I navigated to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies> Account Lockout Policy.
For these policy settings, I configured:
Account lockout duration: An account will be locked for 30 minutes after reaching the lockout threshold.
Account lockout threshold: The number of failed login attempts should be 3-5 times before the account is locked out.
Reset account lockout counter after: I set 15 minutes after a failed login attempt.
Once finished, I clicked Apply and close the Editor.
To update the Group Policies settings, I opened PowerShell as administrator, and run the following command gpupdate/ force
Last updated