To protect your account against any security threat, Windows let you set account policies that enforce good security practices for user accounts. These account policies fall into three categories - Password policies, Account lockout policies, and Kerberos policies:

• Password policies: Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of company name and entire corporate network. As such, all Company Name employees are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the prr,i.3ction of those passwords, and the frequency of change. Window password policies let you enforce certain rules that compel your users to use strong passwords.

 Enforce password history: This policy forces the user to use a certain number of distinct pass¬words before he or she is allowed to reuse a pass¬word. The minimum is zero, which disable this policy. The maximum number is 24. A more realistic setting is about five.

 Maximum password age: A user can continue the same password up to 30,45,60 days.

 Minimum password age: A user can set pass¬word at least one day. This policy determines how long the user has to wait after changing the pass¬word before he or she can change it again.

 Minimum password length: This polices prevent the use of short password. The default setting is zero that effectively. lets your user not use password otherwise six or seven characters.

 Store passwords using reversible encryption for all users in the domain: This policy sounds like it increase security, but actually it decrease security because reversible encryption is a type of encryption that's very easy to break.

• Account lockout policies: Account lockout policies allow you to set thresholds to automatically shut down an account if too many incorrect username and password combinations are attempted in order to protect the machine. When Windows detect someone is trying to break-in, it temporarily locks the account. Some account policies are:

Name: Managing Security in windows.jpg Views: 243 Size: 39.0 KB

 Account lock out threshold: This policy determines how many times a user can unsuccess¬fully to log on before the system decides to lock out the user. A more reasonable threshold is from three to five mistakes.

 Account lock out duration: This policy determine how long the user will be locked out when the number of unsuccessful logon attempts exceeds the threshold. The default is Not defined, which means that the user won't be lock out. The account lockout duration should be at least 15 minutes.

 Reset account lockout counter after: This policy lets you cut the user some slack if the user waits awhile between invalid attempts. If a user maRes two or three mistakes entering the pass¬word, then take a few minuets off and then tries again. The system should reset the invalid logon attempt count to give the user a fresh start.

• Kerberos policy: Kerberos policy is implemented by the domain's Key Distribution Center (KDC) and is defined at the domain level. This is stored in Active Directory as a subset of the attributes of a domain security policy and this policy options is set by members of the Domain Administrators group.

 Enforce User Logon Restrictions: This policy checks the user rights on the target computer to verify that the user has the right either to log on locally or to access the computer from the net¬work.

 Maximum Lifetime Ticket for Renewed:
This policy provides maximum lifetime of a ticket and ticket can not be renewed or changed after 7 days.

 Maximum User Lifetime Ticket: User ticket is known as TGT (Ticket Granting Ticket) and it should be renewed after 10 hours.

 Maximum Service Lifetime Ticket: Service ticket is known as Session ticket which identify how long a service ticket must be consider valid 'and this setting must be more than 10 minutes and less than the setting for maximum user ticket lifetime (10 hours),

 Maximum Tolerance for Synchronization of Computer Clocks: When the KDC (key distri¬bution center) clock is many minutes different from the Kerberos client's clock, tickets are not issued for the client. The clock on the client and server computers must be relatively close to each other and default setting is 5 minutes.