In the Daily Feature entitled “Strengthening user passwords on your Windows NT servers,” I showed you how you can beef up passwords on your network using Passfilt.dll and by increasing the minimum lengths of passwords that users create. If you’re new to Windows NT, you may have looked at the Account Policy screen that I showed you in that article and asked yourself, “Okay, but what about the rest of that stuff?” In this Daily Feature, I’ll explain to you what that stuff is and what it’s used for.

Managing user passwords on NT
Passwords serve as your network’s first line of defense. Chances are you wouldn’t run a network without user IDs and passwords. If you don’t manage user passwords properly, however, you may as well not even have them.

What can you do wrong when managing passwords? Lots of things, including:

  • Creating user accounts with no passwords.
  • Not making users change their passwords.
  • Forcing users to change passwords too often.
  • Allowing users to use the same passwords over and over.
  • Permitting users to create short, easy-to-crack passwords.

Fortunately, Windows NT allows you to avoid all of these problems. All it takes is a trip to the Account Policy section in User Manager For Domains.

Working with User Manager For Domains
To access User Manager For Domains, click Start, select Administrative Tools (Common) from the Programs menu, and click User Manager For Domains. When User Manager For Domains starts, select Account from the Policies menu. You’ll then see the Account Policy screen shown in Figure A.

Figure A
You can change the password settings for your users on the Account Policy screen.

As you can see, the screen is broken down into two major areas: the Password Restrictions area and the Account Lockout area. In addition, there are two check boxes at the bottom of the screen.

Password restrictions
The Password Restrictions area is where you’ll put most of the constraints on the passwords that your users create. In its default form, Windows NT leaves passwords basically unrestricted: Users don’t need passwords; they can reuse passwords; they never need to change a password if they create one.

Settings you can change in this area include:

  • Maximum Password Age.
  • Minimum Password Age.
  • Minimum Password Length.
  • Password Uniqueness.

Let’s look at each of these settings briefly.

Maximum Password Age
This box controls how often users must change their passwords. If you select the Password Never Expires radio button, the user never has to change it. To force passwords to expire, select the Expires In radio button. Then, you can set the amount of time it takes for the password to expire in the Days list box. You can specify a range of one to 999 days.

Experienced network administrators will argue where the sweet spot for expirations is, but the average range is usually around 60 days. If you set this rate too low, then users will be frustrated by having to constantly change their passwords and will rebel. If you set the period too long, it loses its effectiveness.

Minimum Password Age
The Minimum Password Age represents the amount of time users must keep a password before they can change it again. If you leave the Allow Changes Immediately radio button selected, then users can change their passwords as frequently as they like. To force users to keep their passwords for a while, select the Allow Changes In radio button. You can then set the amount of days before they can change the password again in the Days list box. You can specify a range of one to 999 days.

You should probably let users change their passwords as often as they like. Setting this value locks them into a password for a period of time, and they’ll just call you to change it for them. You may want to use this setting if you have a very large number of servers in your domain. If users frequently change their passwords in a large domain, it can cause lots of synchronization traffic between the PDC and all of its BDCs.

Minimum Password Length
The Minimum Password Length setting controls the fewest number of characters needed to create a password. By default, users don’t even have to have passwords. If you select the Permit Blank Password radio box, then they don’t have to enter one. (Don’t do this unless you have an extremely good reason for doing so.) Select the At Least radio button to force a minimum password length. Then, set length in the Characters list box.

You can specify a range of one to 14 characters. Although Windows NT allows you to have more than 14 letters in a single password, Microsoft probably thought that giving network administrators the ability to force passwords to be longer than 14 characters would tempt them to be needlessly sadistic to their users.

As with Maximum Password Age, experienced network administrators disagree as to what the best minimum password length is. Microsoft’s default value is six. The best value is probably in the range of six to eight characters. For more information about minimum password lengths, read the Daily Feature entitled “Strengthening user passwords on your Windows NT servers.”

Password Uniqueness
The Password Uniqueness section allows or prevents users from reusing old passwords. If you select the Do Not Keep Password History radio button, users can keep using the same password over and over, even if you force them to change it. To force them to use different passwords, select the Remember radio button and set a value in the Passwords list box.

You can set a value of one to eight passwords. The default value for the number of passwords to remember is five. Don’t be too extreme with setting this number. Setting a value of one or two won’t increase security very much. Setting a value of seven or eight will just annoy your users.

Account Lockout
By default, the Account Lockout area is disabled. You can tell that by noticing that the No Account Lockout radio box is selected. You can enable account locking by selecting the Account Lockout radio box.

The main reason why you should enable account locking is to prevent hackers or malicious employees from playing “Guess The Password” to crack an account. With account locking disabled, such evildoers can just keep typing password combinations for a user ID until they find one that works. When you enable account locking, after a given number of failed attempts, Windows NT turns the account off, thereby ending the game.

You can set the number of tries a user gets before lockout by changing the value of the Lockout After Bad Logon Attempts list box. The range for retries is one to 999. Windows gives a default value of five. That’s probably a fair value, but I’ve always favored the “three strikes and you’re out” rule.

The Reset Count list box controls the range of time that Windows NT remembers failed attempts from the time of the first failure. For example, if you set the range to five minutes and the number of attempts to three, if users type in three incorrect passwords within five minutes, the account locks them out. If users miss twice within one minute and then wait four minutes and one second for the third attempt and miss again, they aren’t locked out. Windows sets the default reset value to 30 minutes. You can set a range of anywhere from one to 99,999 minutes. Again, don’t go to extremes.

You have two choices when it comes to unlocking accounts, as controlled by the Lockout Duration box. If you select the Forever radio button, the account will remain locked until the user calls you to unlock it. You can select the Duration radio button and provide a value in the Minutes list box to specify a shorter lockout time period.

Windows sets a default lockout time of 30 minutes. You can set a range of one to 99,999 minutes. If you suspect that you have a malicious employee on the network, then you may want to set the lockout to Forever. That way, you’ll be sure to know if something funny is going on with the locked account. You can then warn the user who’s getting locked to watch his or her machine. Otherwise, you may just want to set a timed lockout duration to fire a warning shot across the bow of any wannabe hackers to let them know that you’re aware that they’re trying to get in, while at the same time saving you the trouble of having to go in and fix the user account manually.

Separate checks, please
The last two check boxes on the Account Policy screen are pretty self-explanatory. If you select the top check box, the server will force users off the network if you’ve set specific logon hours for those users and they remained logged on past their allowed time. Be careful with this setting because it may cause users to lose data. With this check box deselected, however, users can stay logged on to the network forever, even if it’s past time for them to be logged off. They can’t log back on during their off hours, but they can remain on indefinitely.

The next check box sounds kind of confusing upon first read. It doesn’t make much sense that users could change their passwords without first logging on, does it? This check box relates to the password-expiration option. If a user tries to log on to the network after the password has expired and this option is deselected, NT will allow the user to provide the old password and then provide a new one. With this option selected, the user is locked out. You’ll have to change the password for him or her. This box can help prevent someone from trying to use accounts with old passwords in order to gain access to your network.

Conclusion
Managing passwords can be the bane of any network administrator’s existence. Windows NT can help you manage passwords and strike a balance between network security and user harmony. In this Daily Feature, I’ve given you a basic overview of Windows NT password management.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.