Locking Down Windows
Multiuser systems are security holes in and of themselves. The simplest systems—those used by only one person—are the easiest ones to secure because there’s much less diversity and variance of usage on the part of one person than there is on the part of many. Unfortunately, most of our IT environments require multiple user accounts, so the following section focuses on some prudent ways to lock down Windows systems, including Windows Server 2003 machines and associated client workstation operating systems.
Long passwords are more secure, period. As you might suspect, there are more permutations and combinations to try when one is attempting to crack a machine via brute force, and common English words, on which a dictionary attack can be based, generally are less than eight characters in length. On the same token, aging passwords are insecure. Although most users grudgingly change their passwords on a regular basis when encouraged by administrators, some accounts—namely the Administrator and Guest accounts—often have the same password for life, which makes them an easy target for attack.
To counter these threats, consider setting some basic requirements for passwords. To set these restrictions on individual workstations and Windows Server 2003 servers, follow these steps:
Open the MMC and navigate to the Local Security Policy snap-in. You usually access this by selecting Start → All Programs → Administrative Tools.
Navigate down the tree, ...