With the tools that attackers have available today, simple passwords should be outlawed by every company. Turning on the requirement for complex passwords in your network is pretty simple; the hard part is knowing where to find the setting. We are going to require complex passwords by making a change inside Group Policy. We will be using Group Policy in a step-by-step fashion, and combining this recipe with the chapter on Group Policy in the book Windows Server 2016 Administration Cookbook, published by Packt, will give you even more creativity in the way that you could later change the implementation of this password policy.
Requiring complex passwords in your network
Getting ready
We need to be working in a domain environment, as Group Policy is something that runs within Active Directory. The change that we are going to make in Group Policy is done from a domain controller, and we will utilize a client computer to test our policy once it has been implemented.
How to do it...
The following steps will help you enable complex passwords for your network:
- On your domain controller, launch Group Policy Management from inside the Tools menu in Server Manager.
- Expand your forest name and find the name of your domain inside the Domains folder. If you expand your domain name, you will see a Group Policy Object (GPO) in there called the Default Domain Policy. This policy is automatically configured in a new Active Directory environment to apply to all user accounts, so for this recipe, we will modify this GPO to require complex passwords for all of our users.
- Right-click on Default Domain Policy and click Edit...:
You can easily create a new GPO and use it instead of modifying the built-in default policy. This will give you better control over who or what gets the settings applied to them. See the chapter Group Policy from the book, Windows Server 2016 Administration Cookbook, for more detail on managing the GPOs themselves. We use the Default Domain Policy in this recipe for the sake of shortening the number of steps you need to take, but it really is recommended never to use the Default Domain Policy to make actual changes in a production environment.
- Browse to the following location by navigating to Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policy.
- Here are the configurable options that you can set for password requirements in your network. I am going to set Maximum password age to 30 days so that everyone needs to change their password monthly, and I will increase Minimum password length to 8 characters. I will also enable the complexity requirements setting, which sets a number of different requirements. If you double-click on that setting and browse to the Explain tab, you will see a list of all the items that are now required:
- Now go ahead and try logging into a computer with a domain user account and come to discover that our password no longer meets the criteria and we have to change it accordingly:
How it works...
Because we set requirements for password complexity in the Default Domain Policy, that requirement flows across our whole network. A solid password policy is very important in today's networks and just scratches the surface of Group Policy's abilities. These simple setting changes can make the difference in whether or not your company is compromised as a result of a brute force password attack.