Podcast
Questions and Answers
What is a requirement for passwords to meet complexity requirements?
What is a requirement for passwords to meet complexity requirements?
What does the 'Minimum password length' policy enforce?
What does the 'Minimum password length' policy enforce?
What happens if 'Account lockout threshold' is set to 0?
What happens if 'Account lockout threshold' is set to 0?
What does the 'Account lockout duration' setting control?
What does the 'Account lockout duration' setting control?
Signup and view all the answers
Which setting requires users to create unique passwords?
Which setting requires users to create unique passwords?
Signup and view all the answers
What is the effect of setting the 'Maximum password age' to 0?
What is the effect of setting the 'Maximum password age' to 0?
Signup and view all the answers
What is the purpose of the 'Reset account lockout counter after' setting?
What is the purpose of the 'Reset account lockout counter after' setting?
Signup and view all the answers
What is the minimum length recommended for strong passwords?
What is the minimum length recommended for strong passwords?
Signup and view all the answers
Which of the following is NOT a requirement stated for password policies?
Which of the following is NOT a requirement stated for password policies?
Signup and view all the answers
What should be utilized when testing the self-service password reset process?
What should be utilized when testing the self-service password reset process?
Signup and view all the answers
Which of the following practices helps educate users on password security?
Which of the following practices helps educate users on password security?
Signup and view all the answers
What is an important feature of a strong password policy?
What is an important feature of a strong password policy?
Signup and view all the answers
How should user accounts be handled after a specified number of failed login attempts?
How should user accounts be handled after a specified number of failed login attempts?
Signup and view all the answers
Why is two-factor authentication important?
Why is two-factor authentication important?
Signup and view all the answers
What should users be told regarding sharing passwords?
What should users be told regarding sharing passwords?
Signup and view all the answers
What is the primary purpose of granular password policies?
What is the primary purpose of granular password policies?
Signup and view all the answers
Which of the following is a prerequisite for implementing granular password policies?
Which of the following is a prerequisite for implementing granular password policies?
Signup and view all the answers
Who has the permission to set granular password policies in a domain?
Who has the permission to set granular password policies in a domain?
Signup and view all the answers
What is the maximum number of characters that can be used in the User Principal Name (UPN) before the '@' symbol?
What is the maximum number of characters that can be used in the User Principal Name (UPN) before the '@' symbol?
Signup and view all the answers
What happens to password policies when a user account is moved to a different Organizational Unit (OU)?
What happens to password policies when a user account is moved to a different Organizational Unit (OU)?
Signup and view all the answers
Which of the following can be affected by granular password policies?
Which of the following can be affected by granular password policies?
Signup and view all the answers
What is the total maximum length for a UPN including both parts?
What is the total maximum length for a UPN including both parts?
Signup and view all the answers
What cannot be renamed, deleted, or moved in the context of granular password policies?
What cannot be renamed, deleted, or moved in the context of granular password policies?
Signup and view all the answers
Which attribute is not included in the PSO settings defined in the Default Domain Policy?
Which attribute is not included in the PSO settings defined in the Default Domain Policy?
Signup and view all the answers
What can users do in relation to password policies and security?
What can users do in relation to password policies and security?
Signup and view all the answers
Study Notes
Account Lockout Policy Settings
- Control what happens when a user enters incorrect passwords
- Apply to the computer, not the user
- Only the settings in a GPO linked to the domain take effect
Enforce Password History
- Requires users to create unique passwords
- Windows can remember up to 24 old passwords
- Set to a high number to prevent frequent password repetition
Maximum Password Age
- Requires users to change their password after a given time
- A setting of 0 means the password never expires
Minimum Password Age
- Keeps users from changing passwords immediately after resetting them
- Prevents users from defying password history by initiating multiple password changes to get back to their preferred password
- Value must be less than the maximum age and greater than 0
- A setting of 0 allows the user to reset the password immediately
Minimum Password Length
- Prevents users from using passwords that are too short
- Enforce passwords of eight characters or longer at a minimum
Password Must Meet Complexity Requirements
- Requires users to create a password with at least three of the four types of special characters (lowercase letters, uppercase letters, numbers, or !, @, #, $, %, ^, &, *)
- Prevents the use of dictionary words or any part of the user's login identification
- Requires passwords to be six characters long (or longer)
Store Passwords Using Reversible Encryption
- Equivalent to storing plaintext passwords
- Should be disabled unless a specific application requires access to the plaintext password
Account Lockout Duration
- Determines the duration the account will be disabled (in minutes)
- Account will be unlocked automatically when the time expires
- A value of 0 means an administrator must unlock the account
Account Lockout Threshold
- Determines the number of attempts a user can make before the account is locked
- A typical setting is 3
Reset Account Lockout Counter After
- Determines the amount of time (in minutes) that must pass before the number of invalid attempts counter resets
- Helps work through potential user concerns
- Gives time to familiarize users with the registration process and workflow
Organizational Password Strategies
- Educate users on how to create and remember strong passwords
- Enforcing strict password restrictions might weaken network security if users are not educated
- Take the following measures to educate users:
- Tell users to not write down passwords or share login credentials
- Teach users how to construct and remember complex passwords
- Educate users about social engineering tactics
- Implement two-factor authentication
Organizational Password Policies
- Detail the requirements for an organization's passwords
- May include:
- The same password should never be used for different systems
- Accounts should be disabled or locked out after a specified amount of failed login attempts
- Passwords should never contain words, slang, or acronyms
- Users should be required to change their passwords within a certain time frame
- A strong password policy should be enforced
- Contain multiple character types
- Have a minimum length of eight characters or more
- Use no part of a username or email address
Security Options
- One of the policy groups included within Group Policies
Granular Password Policies
- Create password policies for users and global groups separately from the password policy applied to the entire domain
- For example: require an eight-character password for regular users and use granular password policies to require administrators to use 14-character passwords
- Generally, it would be best to use account policies to enforce a domain-wide password policy and then use granular password policies for groups of users with more restrictive password policy needs
- Facts about granular password policies:
- The domain must be running at the Windows Server 2008 domain functional level or higher
- Password policies affect only user account passwords, not computer account passwords
- Only members of the Domain Admins group can set granular password policies, but you can delegate the permission
- Granular password policies are saved as a Password Settings Object (PSO) in the Password Settings Container (PSC)
- There is one default PSC. It cannot be renamed, deleted, or moved.
- You can create additional PSCs, but they will not take effect
- The PSC holds one or more PSOs. You can define multiple PSOs with unique password policy settings
- PSOs have attributes for all the settings defined in the Default Domain Policy except Kerberos settings
- Policies can be applied to user accounts or global security groups
- You can apply each granular policy to multiple users and/or groups
- Granular password policies affect only users within the current domain
- When applied to OUs, the domain policies (or other group types) are excluded
- When you move a user account to a different OU, remember to also change the group membership so that the granular password policy no longer applies
Azure Username and Password Policies
- Users have a User Principal Name (UPN) and password associated with their account
- UPN length constraints:
- Up to 64 characters can be entered before the "@" symbol
- Up to 48 characters can be entered after the "@" symbol
- Up to 113 characters can be entered in total
- Allowed characters in a UPN: a-z, A-Z, 0-9, . ' _ - # ! ~ ^
- Not allowed characters in a UPN:
- An "@" symbol cannot immediately precede the "." character
- "@" sign can only be used when separating the username and domain
- Allowed characters in an Azure AD password: a-z, A-Z, blank space, 0-9, @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < >
- Password restrictions in Azure AD:
- Unicode characters cannot be used
- Passwords must use at least three of the following: symbols, numbers, uppercase letters, and lowercase letters
- A minimum of eight characters is required
- A maximum of 256 characters can be used
- Azure AD provides a global banned password list. An administrator cannot edit the default list but can add up to 100 banned words for a custom banned password list
- Default policies that apply to Azure AD passwords:
- The maximum password age is 90 days
- Users are notified of this expiration 14 days before the password expires
- The user cannot use the last password again when changing or resetting their password
Azure Self-Service Password Reset
- Option for users to reset their passwords if they forget it or are locked out of their account
- SSPR can be enabled for none, all, or selected users
- User can click on the contact your administrator link for help. Administrators can customize this button with their help desk email or URL
- By default, regular users are required to use one authentication method, and admin accounts are required to use two authentication methods for password resets
- Before a user can unlock or reset, they need to register their contact information with Azure AD
- Best practices:
- If using SSPR for the first time, start with a small group of users before expanding to the full organization
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers important aspects of account lockout policy settings, including password history enforcement, maximum and minimum password ages, and length requirements. Understand how these policies help maintain security by managing user access and password integrity.
