IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.48 Password protection under Windows NT
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
For each user, access to a Windows NT system must be protected by a
password. User accounts without a password are not allowed to exist, as they
constitute a potential weakness in the system. It is important that users too are
familiar with the protective function of the passwords, since the co-operation
of users naturally contributes to the security of the overall system.
Setting up a new user is performed with the aid of the utility User Manager via
the command "New User". At the same time an initial password with a
maximum of 14 characters must be entered in the fields "Password" and
"Confirm Password". For passwords under Windows NT, the use of upper and
lower case letters must be observed. A meaningful initial password should be
allocated which is notified to the user. Always choosing the same initial
password or making this password identical to the user name opens up a
security gap which can be avoided with a little effort.
The option "User Must Change Password At Next Log-On" should be set with
all new accounts, so that the log-on password is not retained. On the other
hand, the option "User Cannot Change Password" should only be used in
exceptional cases, for instance for pre-defined accounts in the training
operation. The option "Password Never Expires" should only be used for user
accounts to which a service is assigned with the aid of the system control
option "Services" ( the reproduction service, for example), as it cancels the
setting "Maximum Password Age" in the Accounts Policy and prevents the
password from expiring.
Policy for user accounts, user rights and system monitoring can be stipulated
via User Manager. In the User Accounts Policy the figure 6 should be entered
as the minimum password length, for higher security requirements the figure 8
should be entered (see also S 2.11 “Provisions governing the use of
passwords“).
Password history should always be activated and should include at least 6
passwords. The duration of validity of the password ("Maximum Password
Duration") should be limited to a maximum period of 6 months. By fixing a
figure for "Minimum Password Duration", users can be prevented from
changing their password several times in a row with the object of by-passing
history validation. However, a period greater than 1 day should not be chosen
for “Minimum Password Duration“, in order to enable the user to change a
password at any time.
Note: The parameter "Allow Changes Immediately" must not be chosen under
version 3.51 of Windows NT, as otherwise validation of password history is
deactivated.
User accounts should be locked out following repeated invalid password
entries, in order to make attempts to guess the passwords of users more
difficult. The option "Account lockout" should in any case be activated. At the
same time the option "Lockout after", which fixes the number (1 to 999) of
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000