La Alimentación Como Una Moda

In the lab, simple passwords with no restrictions are great. If you choose to leave a password blank by not setting one, less effort is required to log on the dozens of times you might need to in order to carry out the various experiments you set out to perform. However, in produc- tion, the complexity of passwords and restrictions you place on them provide more security for your network than any well-thought-out user account naming convention. Theoretically, passwords are never seen by anyone, unlike usernames. In fact, you rarely see your own pass- words; all you see is just a series of asterisks or bullets, each one representing a character of your password.

Due to the hassle associated with remembering new passwords, most users would never change their passwords if left to their own devices. As a result, it’s incumbent upon the net- work administrator to set password policy requirements for the user population. Configurable requirements include how often a password can be reused, how often passwords expire, how often a user can change their password, the minimum number of characters a password must have, and the minimum complexity allowed in choosing a password.

This task explores each one of these parameters, getting you to test restrictions where possible.

Scenario

You have had reports of resources on the network changing mysteriously, sometimes when only one associate has had authorization to access the resource. Some cases result in a com- plete and permanent loss of critical information. When you consult system logs, you realize that access to the resource sometimes occurred at times during the day or night when the owner of the credentials was not at their station. Your interpretation of this information is that account passwords have been compromised. Your solution is to begin enforcing password restrictions that will force all users to choose stronger passwords, and you will hold users to a stricter password policy, making this type of crime harder to commit.

Scope of Task

Duration

Setup

For this task, you need a single computer on which you can create user accounts or change the passwords of existing accounts so you can test some of the restrictions.

Caveat

It is possible to overdo the password restrictions for your network. There is a fine line between the perfect password policy and going overboard. The line is not always easily defined and it varies, but the administrator tends to know when the users feel the line has been crossed. Just be careful not to trust this mechanism solely, and keep in mind that users tend to prefer more lax policies, even to their own detriment.

This task adjusts local Group Policy on a computer. Domain-level group policy trumps local-level group policy, sometimes making local policy adjustment impossible. When possible, an administrator is advised to adjust domain-level group policies, which are strikingly similar to the local policy settings, just farther reaching in scope.

One last note: don’t use your regular account to change passwords. Start with your account, but follow the procedure to make David Elliot an administrator. Then use his account, just in case you lock him out. That way, you can always get back into your regular administrator account and set David back up properly without ever having to use his lost password.

Procedure

In this task, you adjust five separate password restrictions, testing the effect of those that you can.

Equipment Used

For this task, you only need a single computer, but you must have administrative privileges on the computer and the effective rights to make the adjustments set forth in this task.

Details

The following steps instruct you on how to access the local security policy for a computer and how to adjust password restrictions.

Preparation

1. To keep from locking yourself out of your own administrative account (by forgetting

passwords), place David Elliot’s account in the local Administrators group, and then log off as yourself and back on as David. Earlier tasks can assist you with this task.

2. Open Control Panel and double-click the Administrative Tools applet to display the list of tools available to you.

3. Double-click the Local Security Policy shortcut in the list to bring up the MMC with the

Security Settings plug-in.

If you were able to complete these first three steps, proceed to step 11. If you see no Administrative Tools applet in Control Panel or if Local Security Policy is not one of the shortcuts that you see, you can follow this alternative procedure, starting with step 4.

4. Click Start Run and enter mmc in the Open field to bring up a generic MMC console and then maximize the Console Root floating window to produce a display similar to the following image.

5. Click File Add/Remove Snap-In to bring up a dialog that allows you to choose your

6. Click the Add button to spawn the Add Standalone Snap-In dialog. Scroll down, if nec- essary, and click Group Policy Object Editor, which you see highlighted in the following screen shot.

7. Click the Add button to bring up the Select Group Policy Object Wizard.

8. Click the Finish button to keep your configuration on the local computer. Doing so takes

you back to the Add Standalone Snap-In dialog, but if you can see the Standalone tab of the Add/Remove Snap-In dialog, you might notice that there is a Local Computer Policy entry in the previously empty snap-in list.

9. Click the Close button in the Add Standalone Snap-In dialog to go back to the Add/ Remove Snap-In dialog, which now looks like the following. Click the OK button to leave the Add/Remove Snap-In dialog.

10. Click the OK button to leave the Add/Remove Snap-In dialog and then expand Local

Computer Policy Computer Configuration Windows Settings Security Settings,

finally clicking Security Settings, as seen next, which brings you to the same display that Local Security Policy in Administrative Tools would have.

11. Regardless of the method used to get to this point, expand Account Policies and click

Password Policy to produce the following display.

12. In the right pane, make sure all settings match settings in the previous screen shot. For the ones that do not, double-click the entry in the Policy column to adjust the setting. You will be setting only one of these at a time in the following steps, returning to the setting shown here before changing any other setting.

Enforce Password History

1. In the right pane, double-click Enforce Password History to bring up its Properties dialog. Use the spinner buttons (arrows) to change the value to 2. Then click the Apply button, leaving the Properties dialog open because you will need it again shortly.

2. Press Ctrl+Alt+Delete to bring up the Windows Security display and click the Change

Password button to enter the Change Password dialog. Change the password to some- thing different, but be sure to remember this password because it will be the one you stay with for the time being. Forgetting it could lock you out. It is for this reason you should not be using an important account for this task.

3. Repeat the previous step again and try to change the password back to the previous set- ting. You receive the error message “Your password must be at least 0 characters and can- not repeat any of your previous 2 passwords….”

4. Click the OK button to clear the message.

5. Press the Esc key to return to Windows without changing your password.

6. Change Enforce Password History back to 0, which indicates that a password history will

not be kept. Then click the OK button.

Note that a value of 0 is not advisable, and the default value of 1 is designed to avoid acci- dental entry of the same password during a change, not necessarily to prohibit early reuse of a password. Setting the minimum password age, coming up shortly, to greater than 0 tends to discourage rifling through dummy passwords in one sitting to get back to the cur- rent password during a mandatory change.

Maximum Password Age

Back at the Security Settings plug-in, double-click Maximum Password Age in the right pane to display the Maximum Password Age dialog, which shows that the default length of time a user may have the same password is 42 days.

Changing the setting to 0 indicates that the password will never expire, which is not a wise choice for a secure network. Individual accounts can still be set to never expire even though you set the password to expire after a certain number of days by default. Furthermore, be care- ful not to set this value too low or you may have dissention in the ranks. If you set the number too high, you might as well be setting the password to never expire. A happy medium, such as the default of 42, is advised.

Even setting this control to 1 day is difficult to test, so feel free to experiment with this set- ting as your situation permits.

Minimum Password Age

1. At the Security Settings plug-in, double-click Minimum Password Age in the right pane.

Note that a setting of 0 days means that you can change your password with no delay from the previous change. Such freedom defeats the purpose of enforcing a password his- tory because users are able to rotate through enough passwords, practically instanta- neously, until they are once again allowed to use an old favorite. However, leaving this value at the default of 0 enables an administrator to set a user’s password and then force the user to change the password to one of their own choosing the next time they log on.

2. Change the value to 1 day, and click the Apply button.

3. Press Ctrl+Alt+Delete to bring up the Windows Security display and click the Change

Password button to enter the Change Password dialog. Change the password to some- thing different, but be sure to remember it.

4. Repeat the previous step again and try to change the password to anything else. You

receive the error message “The password on this account cannot be changed at this time.”

5. Click the OK button to clear the message.

6. Press the Esc key to return to Windows without changing your password. Change Mini-

Minimum Password Length

1. At the Security Settings plug-in, double-click Minimum Password Length in the right

pane. This brings up the Minimum Password Length Properties page. Note that a setting of 0 characters means that you are not required to enter a password; you can leave it blank and just press Enter to log on after supplying the username. Such a setting defeats the con- cept of security almost single-handedly.

2. Change the value to 9 characters and click the Apply button.

3. Press Ctrl+Alt+Delete to bring up the Windows Security display and click the Change

Password button to enter the Change Password dialog. Attempt to change the password to something with eight or fewer characters. You receive the error message “Your password must be at least 9 characters and cannot repeat any of your previous 0 passwords….”

4. Click the OK button to clear the message.

5. Press the Esc key to return to Windows without changing your password. Change Mini-

mum Password Length back to 0 characters and click the OK button.

Password Must Meet Complexity Requirements

1. At the Security Settings plug-in, double-click Password Must Meet Complexity Require-

ments in the right pane. This produces this restriction’s Properties page, as shown next with the Enable radio button filled in already.

2. Make sure the Enable button is filled in and click the Apply button. This enforces the fol- lowing complexity requirements:

_{The password cannot contain any part of the user’s account name.}

The password must exhibit three of the following four characteristics: uppercase

English letters, lowercase English letters, digits 0 through 9, and special characters, such as punctuation.

3. Press Ctrl+Alt+Delete to bring up the Windows Security display and click the Change

Password button to enter the Change Password dialog. Assuming a minimum password length of 6, examples of violations are password, passw0rd, pa$$word, Pa$$, and Pass- word. Examples of legal passwords are Passw0rd, pa$$w0rd, and Pass;!. Attempt to

change the password to something that violates any of the complexity requirements. You receive the error message “Your password must be at least 0 characters; cannot repeat any of your previous 0 passwords; must contain capitals, numerals, or punctuation; and can- not contain your account or full name.”

4. Click the OK button to clear the message.

5. Press the Esc key to return to Windows without changing your password. Disable this fea-

ture and click the OK button.

Criteria for Completion

You have completed this task when you have made the recommended password settings and tested the changes where possible.