Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
Combined with the ‘PasswordComplexity’ and ‘MaximumPasswordAge’ settings, these settings<br />
ensure the password is strong and resilient to attack.<br />
4.3.1.5 Password must meet complexity requirements<br />
PasswordComplexity = 1<br />
The ‘PasswordComplexity’ switch defines password complexity requirements. The setting ‘1’<br />
requires the user to enter a password that meets the criteria below.<br />
The password contains characters from three of the following four categories:<br />
• Upper Case Character (A-Z)<br />
• Lower Case Character (a-z)<br />
• Base 10 Digits (0-9)<br />
• Non-alphanumeric (! @ # $ % ^ &)<br />
This setting helps thwart brute-force attacks.<br />
4.3.1.6 Store password using reversible encryption<br />
ClearTextPassword = 0<br />
The ‘ClearTextPassword’ keyword determines if the system stores passwords using reversible<br />
encryption. The setting ‘zero’ disables reversible encryption.<br />
NOTE:<br />
Never enable this option unless operational considerations outweigh the need to<br />
protect password information.<br />
4.3.2 Account Lockout Policy<br />
4.3.2.1 Account Lockout Duration<br />
LockoutDuration = 15<br />
The ‘LockoutDuration’ defines the length of time (in minutes) that an account is disabled after<br />
lockout. The setting ‘15’ disables the user’s account for 15 minutes. This value needs to be<br />
synchronized with ‘ResetLockoutCounter’ so the user can logon when the ‘LockoutDuration’<br />
has expired.<br />
4.3.2.2 Account lockout threshold<br />
LockoutBadCount = 10<br />
The ‘LockoutBadCount’ defines the number of failed logons allowed before the account is<br />
locked. The setting ‘10’ causes the user’s account to be locked after 10 consecutive logon<br />
attempts. The setting prevents extended password guessing attacks.<br />
46 March 2004 <strong>Server</strong> Policy Files