Guide to Windows Online Security & Privacy



Renaming disabling and default Accounts

By default Windows 2000/XP creates an Administrator and a Guest account, however being that they are named just that, makes it that little bit easier for someone to compromise your system as they will already know two login names. This is easy enough to workaround though.

Click on Start, Run type in secpol.msc and click Ok. Expand Local Policies and select Security Options.

The options to change being Ė Accounts: Rename administrator (guest) account. Double click on these options and type in another name to use for these accounts, click Apply, and then Ok.

Once renamed, select Accounts: Guest account status and ensure it is set it to Disabled, which will disable anonymous access to the system using that account.


Securing Passwords and Locking Out Accounts

Though itís essentially impossible to create uncrackable passwords, you can make them tougher to crack by using Local Security Settings. Again, click on Start, Run type in secpol.msc and click Ok. Expand Account Policies and select Password Policy. The options available here can help you further secure your system by allowing you to set additional requirements as regards passwords used on the system.

Enforce password history. The value selected here determines how many new passwords must be created for a userís account before an old one can be reused. As many administrators are probably painfully aware, whenever a user is made change password they invariably change it to a new password, then change it back to the old one right away. This will help curb this, particularly when the Minimum password age setting is modified. A recommended value would be 5 or more. Valid values range is: 0 - 24.

Maximum password age. The value here determines how many days a password can be used before it will expire and a new one required. 0 sets that the password can not expire which is not recommended. For most systems 30 Ė 60 days should be fine, though you can prolong or reduce this further depending on how security paranoid you are. Valid values range is 0 Ė 999.

Minimum password age. The value here specifies how many days a new password must be used before it can be changed. Along with the Enforce password history option this can be used to great effect in curbing users re-using a password. 0 sets that the password can be changed immediately, which isnít recommended. A few days should suffice for this setting. Valid values range is 0 Ė 999. Obviously do not set this value to higher than the Maximum password age though.

Minimum password length. This is fairly self explanatory; the value determines the minimum length of a password, with 0 indicating no password is required. Set this to at least 6. Valid values range is 0 Ė 14.

Password must meet complexity requirements. When set to Enabled this adds certain complexity requirements when creating/changing passwords, according to Microsoft these are:

         Must not contain all or part of the user's account name

         Must be at least 6 characters in length

         Contain characters from 3 of the following 4 categories:

o        English uppercase characters (A - Z)

o        English lowercase characters (a - z)

o        Base 10 digits (0 through 9)

o        Non-alphanumeric characters (e.g., !, $, #, %)

As such this greatly lends to more complex passwords being used, which in turn will prove more secure. When set to Disabled these requirements do not need to be met when setting a password, which isnít recommended.

Store password using reversible encryption for all users in the domain. Leave this set to Disabled for obvious reasons.

While following the above should help you to ensure more complex passwords are used, thereís still nothing to stop someone from repeatedly trying to logon if they know a username Ė thatís where an account lockout policy comes in useful. Now select Account Lockout Policy.

Account lockout threshold. A value of 0 for this option sets that an account cannot be locked out (and isnít recommended), whereas a value of 1 to 999 sets the numbers of failed logon attempts that can occur before an account is locked out. A value of 3 or 4 should be sufficient for any regular users to type in their password correctly.

Reset account lockout counter after. This option sets after how many minutes the failed logon counter (Used to determine when the Account lockout threshold is reached) is reset. This can be set up to 99999 minutes. Personally Iíd recommend setting this to 30 minutes or so.

Account lockout duration. A value of 0 for this option specifies that only an Administrator can unlock a locked out account, whereas any higher value (Up to 99999) sets the number of minutes an account is to be locked out for before becoming unlocked (This should be higher than the Reset account lockout counter after option).


Go to next page !

Get weekly updates on new
articles, news and contests
in your mail!