Our comprehensive checklist offers management guidelines and solutions to many of the problems that routinely occur with Windows user accounts. You can print the list or use it in electronic form; the check boxes will help ensure that no steps are missed. This archived TechRepublic Premium tool is available for free to registered TechRepublic members. For all the latest research reports, 100+ ready-made policies, IT job descriptions, and more, check out TechRepublic Premium. From the checklist: Have a password/security policy
Ideally, before any user accounts are even created in your organization you will have a password/security policy that outlines requirements for mandating the use of complex passwords that are rotated periodically and must be kept secure.
This policy should dictate how many failed logins will provoke an account lockout, how long accounts will be locked (or whether they must be manually unlocked), and whether restrictions and requirements will differ between user, administrator, and service accounts.
These policy details can be configured centrally on domain controllers using Group Policy within Active Directory and should be set to apply to the entire domain or all users/system accounts.
You can create a new group policy or edit the Default Domain Policy to add the necessary details for your organization. For password settings, these are located under Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policy).
For account lockout settings, look under Computer Configuration | Policies | Windows Settings | Security Settings | Account Lockout Policy.
It’s a good idea to set an account lockout duration of 30 minutes and an account lockout threshold of five invalid logon attempts and to reset the account lockout counter after 30 minutes.
You should also mandate the locking of Windows systems with a password (users can easily press Windows Key + L to immediately lock the screen) with another group policy setting, this time under User Configuration | Policies | Administrative Templates | Control Panel | Personalization. Here you can set the option to Password Protect The Screen Saver and implement a Screen Saver Timeout period, in which idle time on the system is measured and the screen saver lock will implement after a set number of seconds (900, for instance).