• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

GPO Review - Computer Configuration - Windows Settings - Account Policies

kcnychief

█▄█ ▀█▄ █
Political User
#1
It's that time of week again. It's getting a bit hard to do this because of time constraints, but for the sake of learning, I tread on....

This week, open for discussion is Account Policies. I have attached only a screenshot of the main root, as I didn't want to suck up too much of my space.

Here is how mine breaks down, LMK your thoughts:

Password Policy:
Enforce Password History - Mine is set to a history of 5
Maximum Password Age - 60 days
Minimum Password Age - 15 days
Minimum Password Lenght - 8 characters
Password must meet complexity requirements - Enabled
Store Passwords Using reversible encryption - Disabled *

Account Lockout Policy:
Account Lockout Duration: 15 minutes
Account Lockout Threshold: 8 invalid logon attempts
Reset account lockout counter after: 30 minutes

Kerberos Policy:
Enforce user logon restrictions: not configured*
Maximum lifetime for service ticket: not configured*
Maximum lifetime for user ticket: not configured*
Maximum lifetime for user ticket renewal: not configured*
Maximum tolerance for computer clock synchronization: not configured*

Any description that has an * next to it, means I don't have a full-understanding of it. I am doing this all self-taught, and just haven't explored that area yet. Other input is welcome and appreciated. Thanks
 

Attachments

madmatt

Bow Down to the King
Political User
#4
Kerberos should be defined at the domain level (Default Domain Policy) by default. There is no need to set this up in other GPO's.

As for my settings.

6 passwords remembered
30 day password age (max)
15 day password age (min)
Minimum password length is 8
Password must meet complexity requirements - yes

Account lockout duration - 30 minutes
Account lockout threshold - 3
Reset account lockout counter after - 30 minutes
 

kcnychief

█▄█ ▀█▄ █
Political User
#5
madmatt said:
Kerberos should be defined at the domain level (Default Domain Policy) by default. There is no need to set this up in other GPO's.
Were you just using an example? I thought it was bad practice to use a GPO named "Default Domain Policy".
 

madmatt

Bow Down to the King
Political User
#6
That's what I named my default domain policy. I don't know how it could be considered bad practice, but I suppose that is open to interpretation.

At some point some wise man told me, "keep it simple stupid".
 

fimchick

OSNN Senior Addict
#7
I agree with matt. You definitely don't want to set your account lockout policy to more than 3 times -- it gives hackers too many attempts to get into your system. If a user can't remember/type correctly their password after 3 times, then they need to have it reset anyways :)
 

kcnychief

█▄█ ▀█▄ █
Political User
#8
fimchick said:
I agree with matt. You definitely don't want to set your account lockout policy to more than 3 times -- it gives hackers too many attempts to get into your system. If a user can't remember/type correctly their password after 3 times, then they need to have it reset anyways :)
I agree, and I'm sure 3-5 is more commonly used, but the environment where I enforce that policy has some people that aren't very intelligent and they need to have time to turn off the caps lock, turn on the num lock etc.
 

Members online

No members online now.

Latest posts

Latest profile posts

Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,017
Latest member
loxioalix