While working on desktop/server hardening engagement, I came across following useful Local policy settings related password policy. Here I tried to tabulate the settings related to passwords. There are tons of security settings can be configured through centralized location by GPO or manually for each machine.
Setting
Vulnerability
Countermeasure
Impact
Enforce password history
Possibility of Brute force attack
Remember last 24 passwords
1. Need to create unique password every time
2. Write somewhere
3. Incremental passwords
Maximum password age
How is password, if it is not changed for long time it is susceptible to Brute Force attack
Set the Maximum password age to 90 days. Range 0-999
If it is too low, user needs to change frequently. He will try to remember by writing some where
If is too High, attacker will get larger timeframe to crack it or to use compromised account.
Minimum password age
In conjunction with Enforce password history setting will prevent from using old favorite password
Recommended = 2
If set to “0” ,immediate password change, which makes “Enforce password History” setting in-effective.
If set=0,if admin sets a password for user & would like to change on first logon than he need to check User must change password at next logon check box
Minimum password length
Susceptible to
· Dictionary attacks
· Brute force attack
Recommended =>8
Complex passwords with combination of Alphanumeric (both upper & Lower char), special characters
Extremely long password
1. User will write somewhere.
2. Mistyped passwords could cause account lockout.
Short passwords
Easily cracked with tools.
Passwords complexity
Recommended=Enabled
Additional helpdesk calls
If user is not habituated to non-alphabetic chars
Unhappy users
Extremely busy help desk