Locking Down Windows
Multiuser systems are security holes in and of themselves. The simplest systems—those used by only one person—are the easiest ones to secure because there's much less diversity and variance of usage on the part of one person than there is on the part of many. Unfortunately, most of our IT environments require multiple user accounts, so the following section focuses on some prudent ways to lock down Windows systems, including Windows Server 2008 machines and associated client workstation operating systems.
Password Policies
Long passwords are more secure, period. As you might suspect, there are more permutations and combinations to try when one is attempting to crack a machine via brute force, and common English words, on which a dictionary attack can be based, are generally shorter than eight characters in length. By the same token, passwords that have not been changed in a long time are also insecure. Although most users grudgingly change their passwords on a regular basis when encouraged by administrators, some accounts—namely the Administrator and Guest accounts—often have the same password for life, which makes them an easy target for attack.
To counter these threats, consider setting some basic requirements for passwords. To set these restrictions on individual workstations and Windows Server 2008 member servers, follow these steps:
Open the MMC and navigate to the Local Security Policy snap-in. You usually access this by selecting Start → All Programs → Administrative ...
Get Windows Server 2008: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
