With the tools that attackers have available today, simple passwords should be outlawed by every company. Turning on the requirement for complex passwords in your network is pretty simple; the hard part is knowing where to find the setting. We are going to require complex passwords by making a change inside Group Policy. We will be using Group Policy in a step-by-step fashion, and combining this recipe with the chapter on Group Policy in the book Windows Server 2016 Administration Cookbook, published by Packt, will give you even more creativity in the way that you could later change the implementation of this password policy.
We need to be working in a domain environment, as Group Policy is something that runs within Active Directory. The change that we are going to make in Group Policy is done from a domain controller, and we will utilize a client computer to test our policy once it has been implemented.
The following steps will help you enable complex passwords for your network:
- On your domain controller, launch
Group Policy Management
from inside theTools
menu inServer Manager
. - Expand your forest name and find the name of your domain inside the
Domains
folder. If you expand your domain name, you will see aGroup Policy Object
(GPO
) in there called theDefault Domain Policy
. This policy is automatically configured in a new Active Directory environment to apply to all user accounts, so for this recipe, we will modify this GPO to require complex passwords for all of our users. - Right-click on
Default Domain Policy
and clickEdit...
:
Note
You can easily create a new GPO and use it instead of modifying the built-in default policy. This will give you better control over who or what gets the settings applied to them. See the chapter Group Policy from the book, Windows Server 2016 Administration Cookbook, for more detail on managing the GPOs themselves. We use the Default Domain Policy
in this recipe for the sake of shortening the number of steps you need to take, but it really is recommended never to use the Default Domain Policy
to make actual changes in a production environment.
- Browse to the following location by navigating to
Computer Configuration
|Policies
|Windows Settings
|Security Settings
|Account Policies
|Password Policy
. - Here are the configurable options that you can set for password requirements in your network. I am going to set
Maximum password age
to30 days
so that everyone needs to change their password monthly, and I will increaseMinimum password length
to8 characters
. I will also enable the complexity requirements setting, which sets a number of different requirements. If you double-click on that setting and browse to theExplain
tab, you will see a list of all the items that are now required:
- Now go ahead and try logging into a computer with a domain user account and come to discover that our password no longer meets the criteria and we have to change it accordingly:
Because we set requirements for password complexity in the Default Domain Policy, that requirement flows across our whole network. A solid password policy is very important in today's networks and just scratches the surface of Group Policy's abilities. These simple setting changes can make the difference in whether or not your company is compromised as a result of a brute force password attack.