By default Windows
2000/XP creates an Administrator and a Guest
account, however being that they are named just that, makes
it that little bit easier for someone to compromise your
system as they will already know two login names. This is
easy enough to workaround though.
Click on Start,
Run type in secpol.msc and click Ok.
Expand Local Policies and select Security Options.
The options to change
being – Accounts: Rename administrator (guest)
account. Double click on these options and
type in another name to use for these accounts, click
Apply, and then Ok.
Once renamed, select
Accounts: Guest account status and ensure it is set
it to Disabled, which will disable anonymous access
to the system using that account.
Securing Passwords
and Locking Out Accounts
Though it’s
essentially impossible to create uncrackable passwords, you
can make them tougher to crack by using Local Security
Settings. Again, click on Start, Run type
in secpol.msc and click Ok. Expand Account
Policies and select Password Policy. The options
available here can help you further secure your system by
allowing you to set additional requirements as regards
passwords used on the system.
Enforce password
history. The value selected
here determines how many new passwords must be created for a
user’s account before an old one can be reused. As many
administrators are probably painfully aware, whenever a user
is made change password they invariably change it to a new
password, then change it back to the old one right away.
This will help curb this, particularly when the Minimum
password age setting is modified. A recommended value
would be 5 or more. Valid values range is: 0 -
24.
Maximum password
age. The value here determines
how many days a password can be used before it will expire
and a new one required. 0 sets that the password can
not expire which is not recommended. For most systems 30
– 60 days should be fine, though you can prolong or
reduce this further depending on how security paranoid you
are. Valid values range is 0 – 999.
Minimum password
age. The value here specifies
how many days a new password must be used before it can be
changed. Along with the Enforce password history
option this can be used to great effect in curbing users
re-using a password. 0 sets that the password can be
changed immediately, which isn’t recommended. A few days
should suffice for this setting. Valid values range is 0
– 999. Obviously do not set this value to higher than
the Maximum password age though.
Minimum password
length. This is fairly self
explanatory; the value determines the minimum length of a
password, with 0 indicating no password is required.
Set this to at least 6. Valid values range is 0
– 14.
Password must meet
complexity requirements. When
set to Enabled this adds certain complexity
requirements when creating/changing passwords, according to
Microsoft these are:
·Must not contain all or
part of the user's account name
·Must be at least 6
characters in length
·Contain characters from 3
of the following 4 categories:
oEnglish uppercase
characters (A - Z)
oEnglish lowercase
characters (a - z)
oBase 10 digits (0 through
9)
oNon-alphanumeric characters
(e.g., !, $, #, %)
As such this greatly
lends to more complex passwords being used, which in turn
will prove more secure. When set to Disabled these
requirements do not need to be met when setting a password,
which isn’t recommended.
Store password
using reversible encryption for all users in the domain.
Leave this set to Disabled for obvious reasons.
While following the
above should help you to ensure more complex passwords are
used, there’s still nothing to stop someone from repeatedly
trying to logon if they know a username – that’s where an
account lockout policy comes in useful. Now select
Account Lockout Policy.
Account lockout
threshold. A value of 0
for this option sets that an account cannot be locked out
(and isn’t recommended), whereas a value of 1 to
999 sets the numbers of failed logon attempts that can
occur before an account is locked out. A value of 3
or 4 should be sufficient for any regular users to
type in their password correctly.
Reset account
lockout counter after. This
option sets after how many minutes the failed logon counter
(Used to determine when the Account lockout threshold
is reached) is reset. This can be set up to 99999
minutes. Personally I’d recommend setting this to 30
minutes or so.
Account lockout
duration. A value of 0
for this option specifies that only an Administrator
can unlock a locked out account, whereas any higher value
(Up to 99999) sets the number of minutes an account
is to be locked out for before becoming unlocked (This
should be higher than the Reset account lockout counter
after option).
