Are you a network administrator and want to set password expiration dates for all user accounts? This will be easy to do in the new Windows 10 OS.
As you know, the operating system allows you to use your choice of local or Microsoft account. The first in its functionality does not allow the use of some system functions. The second provides full access to them.
Additionally and mandatory when logging in, in the second case, you will always be required to enter a password. If you don't like this state of affairs, you can also use .
Not many users know that Windows has long had the ability to set a password validity period and force the user to set a new one after it expires. This is, first of all, the concern of the administrator about security.
With the Local Users and Groups Manager, this is easy to do. Remember that this feature is only available in the Professional version of the operating system. It is not available in the Home Edition.
If you are interested in this issue, then let's proceed with the implementation. And don't forget, you must have administrator rights on the computer.
PASSWORD EXPIRY
Let's start with the Run utility, which is launched using the Win + R keys on the keyboard. After launching it, in the “Open” field, enter the following file name:
Lusrmgr.msc
and press the OK button or the Enter key.
In the left part of the window, select the “Users” folder, and in the right part, select the name you need to activate the desired function. Then double click on it with the mouse.
In the next profile properties window, go to the “General” tab, uncheck “Password never expires” and click the “Apply” and “OK” buttons in turn.
This completes the entire procedure. The 30 day countdown will begin. After this period of time has elapsed, you will not be able to log into your account without setting a new Password. It is a reliable tool that network administrators use to force everyone in a domain to stay secure.
Our computer tips are waiting for you at . Would you like to join us on Facebook or Google+? At the top right you will find the buttons you need.
Here you will find several policies. Their number may vary depending on the version of the operating system. I will introduce you to 6 Windows password policies that are available in the Windows 7 operating system.
Windows password policies
- Keep a password log. The very first policy allows you to configure the number of passwords that will be stored in the computer's memory. This is necessary so that the user does not use the same password several times. The password log can store from 0 to 24 passwords. And purely theoretically, the user can set the same password only after a few years. The following policy can help him in this.
- Maximum password age. I think that it is not necessary to explain on the fingers the essence of this policy. I will only say that by default, in this parameter, passwords should be changed every 42 days. And I ask you not to be afraid of anyone - the system will automatically warn users that it is necessary to change the password. Warnings are issued for 7 days.
- Minimum password length. The name of this policy also very clearly describes the purpose of the policy itself: here you need to set the minimum number of characters that should be in the password. To understand the importance of this policy, you should read the article Password brute force time.
- Minimum password age. The use of this policy is justified only in conjunction with the first policy. This policy will prevent particularly smart "hackers" from scrolling through the password history in a few minutes and resetting their old password.
- Password must meet complexity requirements.5th password policy allows you to set several restrictions for the selected passwords at once with one action:
- The password will not contain the account name or parts of the user's full name longer than two adjacent characters.
- Passwords will need to have a minimum length of 6 characters.
- Contain 3 of the 4 categories of characters listed below.
- Latin capital letters (A to Z)
- Latin lower case letters (a to z)
- Numbers (0 to 9)
- Characters other than letters and numbers (e.g. !, $, #, %)
- Store passwords using reversible encryption. You should only enable this policy for compatibility with older applications. If you do not have a need for this, then I urge you not to enable this policy, as this will adversely affect the security of your computer.
Configuring password selection policies for individual users
All of the above Windows password policies will affect the lives of all users of this computer. But in addition to the above configuration methods, there is another tool that allows you to set password restrictions for individual users or groups of Windows users - snap Computer management. If you open this tool and go to the node Local Users and Groups and then open Properties any group or user, then we can select the following options:
- Prevent user from changing password. This option is especially useful for public credentials. In other words, if several people are sitting under the same account at once, then this whole topic can be covered immediately after one smart guy changes the password. To avoid such joy, you must activate this item.
- Password expiration is unlimited. What this item does, I think, is clear to everyone. He is especially honored by administrators who care deeply about corporate policy.
These are the ways you can configure password policies in the Windows operating system.
Maximum password age
The "Maximum password age" policy determines how long users can use passwords before they must be changed. The purpose of this policy is to periodically force users to change their passwords. When using this feature, set the value that is most appropriate for your network. As a general rule, the shorter the period, the higher the security level, and vice versa.
The default password expiration is 42 days, but you can set it to any value between 0 and 999. A value of 0 means that the password never expires. Although you might want to set a non-expiring password, users should change their password regularly to maintain network security. If security requirements are high, 30, 60, or 90 days is fine. If security is not very important, then 120, 150, or 180 days will do.
Note
Windows 2000 notifies users when their password is about to expire. If there is less than 30 days left before the password expires, users will see a warning every time they log in that they must change their password within a certain period of time..
Minimum password age
The "Minimum password age" policy determines how long users must retain their password before they can change it. You can use this field to prevent users from cheating the password system by entering a new password and then replacing it with the old one.
Windows 2000, by default, allows users to change passwords immediately. To prevent this, set a certain minimum time limit. Acceptable values for this parameter are in the range of three to seven days. Thus, your users will be less likely to use second-hand passwords, while having the opportunity to change them if they wish, within a reasonable period of time.
Minimum password length
The "Minimum password length" policy sets the minimum number of characters for a password. If you have not changed the default settings, you will have to do so very soon. By default, blank passwords (passwords with no characters) are allowed, which is definitely not the right approach.
As a general rule, for security reasons, you will need passwords of at least eight characters. The reason for this is that long passwords are usually harder to crack than short ones. If you need to provide more serious security, set the minimum password length to 14 characters.
Password must meet complexity requirements
In addition to the basic policies for managing passwords and accounts, Windows 2000 includes tools for creating additional password controls. These capabilities are available in password filters that can be installed on a domain controller. If you set up a password filter, enable the "Password must meet complexity requirements" policy. In this case, all passwords will have to meet the security requirements of the filter.
For example, the standard Windows NT filter (PASSFILT.DLL) requires the use of secure passwords that comply with the following guidelines:
- Passwords must be at least six characters long.
- The password must not contain the username, such as "stevew", or parts of his full name, such as Steve.
- Passwords must use the three or four available character types: lowercase letters, uppercase letters, numbers, and special characters.
Store passwords using reversible encryption
The passwords stored in the password database are encrypted. In general, encryption cannot be removed. If you want to allow override of encryption, apply the "Store passwords of all users in the domain using reversible encryption" policy. Passwords will be stored using reversible encryption and can be recovered in an emergency. Forgotten passwords are not one of them. Any administrator can change a user's password.
When creating Windows 10, Microsoft developers paid a lot of attention to system security. What is worth biometric authentication Windows Hello or improved Windows Defender. But today I want to talk about a lesser-known feature that essentially forces Windows 10 users to change their passwords periodically. In principle, this can be done at any time, but additional discipline when it comes to security has never hurt anyone.
There are three ways to do this, depending on which version of Windows 10 you have installed and whether you use a Microsoft account. For example, if you have Windows 10 Pro, Enterprise or Education, you can use the Local Group Policy Editor.
The first step is to open gpedit.msc (press Win + R and type gpedit.msc) and go to the following path: Windows Configuration → Security Settings → Account Policy → Password Policy
In the window that opens, you need to select the "Maximum password age" parameter and specify after what period the system will ask you to change the password. A certain standard is considered 72 days, but you can choose the number of days at your discretion.
Also in the “Password Policy” item, you can select the minimum password length, the minimum period of its validity, and also activate the password archive (so that users cannot specify the one that has already been used as a new password).
But in Windows 10 Home, there is no local group policy editor, so the owner of this version of the operating system will have to use the command line.
First of all, you need to open the command line with administrator rights(this is a prerequisite), and then simply enter the command "wmic UserAccount set PasswordExpires=True". After updating the properties, write another command: "net accounts / maxpwage: 72". Instead of 72, you can substitute the number of days you need.
If you want to set password expiration only for a specific account on your computer, you can use the command "wmic UserAccount where Name='Username' set PasswordExpires=True".
But if you are using a Microsoft account, these two methods will not work for you. True, you can still enable this option. To do this, you need to log into your account on the Microsoft website, find the “Change password” item there and check the box next to “Change password every 72 days”.
In this case, the changes will affect not only the password to your Windows 10 account, but also OneDrive, Outlook.com, Skype and other services.
By the way, this guide is also suitable for Windows 7, Windows 8 and Windows 8.1. If this article was helpful to you, please like it. And, if such a heat has already gone, you can even subscribe to our
In the previous part of the Local Security Policies article, you learned how to use Local Security Policies to manage security-related settings for both your home computer and computers located in your organization's domain environment. Starting with this article, all categories of policies that are related to the security of your computers will be discussed in detail. In this article, you will learn about managing user account authentication, specifically the host "Account Policies". These policies are common in enterprises with a domain environment. To ensure the security of your computers, applying the policies of this group on computers that are not part of a domain environment (for example, using policies on your home computer) will help you significantly increase the security of your computer.
Without a doubt, corporate accounts are of great interest to hackers who may be interested in stealing corporate information, as well as gaining access to your company's computers. Therefore, one of the solutions that can significantly secure the infrastructure of an enterprise is the use of secure complex passwords to reduce the possibility of penetration by intruders. Also, do not forget that attackers can be much closer than you imagine. I highly recommend force users to use complex passwords, including mixed case letters, numbers, and special characters for passwords to their accounts, and never leave their passwords in plain sight. I mean do not write them down on paper and do not place them at your workplace, next to the computer, and even more so - do not fix them on your monitors (which happens quite often). Users are also required to change their passwords after a period that you set. For example, by specifying a password expiration of 30 days, after it expires before the user logs into their account, a dialog will be displayed requiring them to change the current password.
To find the policies for account management, in the Group Policy Management Editor, open the Computer Configuration\Security Settings\Account Policies. Let's take a closer look at each security policy that is used to manage passwords and lock out user accounts.
Password policy
Using this site, you can change the password settings for user accounts that are members of both the domain and workgroups. In organizations, you can enforce the same password policies for all users in a domain, or only for specific groups, using the Group Policy Management Console. In knot "Password Policy" you can use up to six security policies, which you can use to specify the most important security settings used to manage account passwords. I strongly recommend that you do not ignore these policies. Even if you persuade your users to use complex passwords, it is not certain that they will actually do so. If you correctly configure all six security policies located in this site, the password security of your organization's users will be significantly improved. With all the policies in place, users will actually have to create secure passwords, as opposed to what they consider "difficult". The following security policies are available:
Rice. 1 Password Policy Node
Keep a password log. No matter how secure your password is, an attacker will sooner or later be able to pick it up. Therefore, account passwords should be changed periodically. With this policy, you can specify the number of new passwords that are assigned to accounts before the old password is reused. After this policy is configured, the domain controller will check the cache of users' previous hash codes so that users cannot use the old password as the new password. The number of passwords can vary from 0 to 24. That is, if you specify the number 24 as a parameter, then the user will be able to use the old password from the 25th time.
Maximum password age. This policy specifies the period of time that a user can use their password before changing it later. At the end of the set period, the user is obliged to change his password, since he will not be able to log into the system without changing the password. Available values can be set between 0 and 999 days. If set to 0, the password does not expire. Due to security measures, it is desirable to refuse such a choice. If the maximum password age ranges from 1 to 999 days, the minimum age value must be less than the maximum. It is best to use values between 30 and 45 days.
Minimum password length. With this policy, you can specify the minimum number of characters that a password must contain. If you enable this setting, then when you enter a new password, the number of characters will be compared with the one set in this policy. If the number of characters is less than the specified one, you will have to change the password in accordance with the security policy. You can specify a policy value from 1 to 14 characters. The optimal value for the number of characters for the password of users is 8, and for servers from 10 to 12.
Minimum password age. Many users will not want to bother remembering a new complex password and may try to change as many new passwords as they type to use their well-known initial password. To prevent such actions, the current security policy has been developed. You can specify a minimum number of days that a user must use their new password. Available values for this policy range from 0 to 998 days. By setting the value to 0 days, the user will be able to change the password immediately after creating a new one. Please note that the minimum validity period of the new password must not exceed the value of the maximum validity period.
Password must meet complexity requirements. This is one of the most important password policies and is responsible for whether the password must meet complexity requirements when creating or changing a password. Due to these requirements, passwords must:
- contain upper and lower case letters at the same time;
- contain numbers from 0 to 9;
- contain characters that are different from letters and numbers (for example, !, @, #, $, *);
- Do not contain the user account name or parts of the user's full name that are longer than two consecutive characters.
In the event that the user has created or changed a password that meets the requirements, then the password is passed through a mathematical algorithm that converts it into a hash code (also called a one-way function), which was discussed in the policy "Keep a password log".
Store passwords using reversible encryption. To prevent passwords from being intercepted by applications, Active Directory stores only a hash code. However, if you need to support applications that use protocols that require knowledge of the user's password for authentication, you can use the current policy. Reversible encryption is disabled by default, because using this policy greatly reduces the level of security for passwords and the entire domain in particular. Using this feature is similar to storing a password in plain text.
Account Lockout Policy
Even after creating a complex password and properly setting up security policies, your user accounts can still be attacked by ill-wishers. For example, if you set a minimum password age of 20 days, a hacker has enough time to guess the password for an account. Knowing the account name is not a problem for hackers, since often the user account names are the same as the name of the mailbox address. And if the name is known, then it will take some two to three weeks to guess the password.
Windows Security Group Policies can counter such actions using the Host Policy Set "Account Lockout Policy". With this set of policies, you have the ability to limit the number of incorrect user login attempts. Of course, this can be a problem for your users, since not everyone will be able to enter a password in the specified number of attempts, but it will take account security to a “new level”. There are only three policies available for this node, which are discussed below.
Rice. 2 "Account Lockout Policy"
Time to reset blocking counters. Active Directory and Group Policy allow you to automatically unlock an account that has more login attempts than a threshold you set. This policy sets the number of minutes that must elapse after a failed attempt to automatically unlock. You can set the value from one minute to 99999. This value must be less than the policy value.
Block Threshold. Using this policy, you can specify the number of invalid login attempts before the account is locked out. The end of the account lockout period is set by policy "Account Lockout Duration" or the administrator can unlock the account manually. The number of failed login attempts can range from 0 to 999. I recommend setting the allowed number between three and seven attempts.
Account lockout duration. With this setting, you can specify the amount of time an account will be locked out before it is automatically unlocked. You can set the value from 0 to 99999 minutes. If this policy is set to 0, the account will be locked out until the administrator manually unlocks it.
Kerberos policy
Active Directory domains use the Kerberos protocol to authenticate domain user and computer accounts. Immediately after a user or computer is authenticated, this protocol authenticates the specified details, and then issues a special data packet called "Ticket Granting Ticket (TGT)". Before a user connects to the server to request a document, the request is sent to the domain controller along with a TGT that identifies the user authenticated by Kerberos. The domain controller then sends another packet of data to the user, called a service access ticket. The user presents an access ticket to a service on the server, which accepts it as proof of authentication.
You can only find this node on domain controllers. The following five security policies are available:
Rice. 3. Kerberos Policy
Maximum computer clock synchronization error. To prevent "replay attacks", there is a current security policy that defines the maximum time difference that Kerberos will allow between the time of the client and the time on the domain controller to provide authentication. If this policy is set, both clocks must be set to the same date and time. A time stamp that is used on both computers is considered genuine if the difference between the clocks of the client computer and the domain controller is less than the maximum time difference defined by this policy.
Maximum user ticket lifetime. With the current policy, you can specify the maximum amount of time that a ticket presentation ticket (TGT) can be used. When a TGT ticket expires, you must renew your existing ticket or request a new one.
Service ticket maximum lifetime. Using this security policy, the server will issue an error message if a client requesting a connection to the server presents an expired session ticket. You can define the maximum number of minutes that a given session ticket is allowed to be used to access a particular service. Session tickets are used only for authentication on new connections to servers. Once the connection is authenticated, the ticket expiration date becomes meaningless.
Maximum lifetime for user ticket renewal. With this policy, you can set the number of days during which a ticket grant ticket can be restored.
Enforce User Login Restrictions. This policy allows you to specify whether the Kerberos Key Distribution Center should validate each session ticket request against the rights policy in effect for user accounts.
Conclusion
Nowadays, more and more often you have to take care of the security of accounts, both for client workstations in your organization and for home computers. The ill-wishers who want to take control of your computer can be not only hackers located thousands and hundreds of thousands of kilometers away from you, but also your employees. Account policies help protect your accounts. This article details all the policies that have to do with your account passwords, account lockout when trying to guess a password, and Kerberos policies, the protocol used to authenticate domain user and computer accounts. In the next article, you will learn about audit policies.
