CIS 170F: Windows 7 Administration

Week 7

Windows 7 Security Features
Security Policies
Account Policies

Account policies can be used to enforce long, difficult, frequently changed passwords and make it hard for users to recycle the same passwords when forced to change. You should lock out accounts that fail several login attempts, locally or over the LAN.

  • The account policies category contains the password policy and the account lockout policy. Account policies do not affect domain accounts and must be configured at the domain level.

  • The password policy controls password characteristics for local user accounts. The available settings include:

    • Policy Description Default Minimum Maximum
    Enforce Password History Keeps track of user's password History Remember 0 passwords Same as default Remember 24 passwords
    Maximum Password Age Determines maximum number of days user can keep valid password Keep password for 42 days Keep password for 1 day Keep password for up to 999 days
    Minimum Password Age Specifies how long password must be kept before it can be changed 0 days (password can be changed immediately) Same as default 998 days
    Minimum Password Length Specifies minimum number of characters password must contain 0 characters (no password required) Same as default 14 characters
    Password Must Meet Complexity Requirements Requires that passwords meet minimum levels of complexity Disabled
    Store Passwords Using Reversible Encryption Specifies higher level of encryption for stored user passwords Disabled

  • The account lockout policy is used to prevent unauthorized access to Windows 7. It can configure an account to be temporarily disabled after a number of incorrect log-on attempts. The available settings include:

    • Policy Description Default Minimum Maximum
    Account Lockout Duration Specifies how long account will remain locked if Account Lockout Threshold is reached Disabled, but if Account Lockout Threshold is enabled, 30 minutes Same as default 99,999 minutes
    Account Lockout Threshold Specifies number of invalid attempts allowed before account is locked out 0 (disabled; account will not be locked out) Same as default 999 attempts
    Reset Account Lockout Counter After Specifies how long counter will remember unsuccessful logon attempts Disabled, but if Account Lockout Threshold is enabled, 30 minutes Same as default 99,999 minutes

Activity 7-1