Account Security Parameters
Windows NT has the usual round-up of account security features. Your account holds the groups of which you are a member. Groups on Windows NT are largely shorthandís for lists of users. The system could provide the same security without them, itís just that you would do a lot more typing. However, as a shorthand they are a powerful way of simplifying access to objects, and as such bear careful planning and control.
There are a number of common-sense password controls imposed in a computerís "account policy," which applies to all accounts stored on the computer. You can set minimal length of passwords, when they expire, whether userís can change their password after they expire, and whether or not a user can use one of their last X passwords for a new one, where X is up to 24. You can also make users live with a new password for several days which discourages them from cycling through new passwords to get to an old favorite.
The most important password policy is the "locking" policy. When a bogus password is presented a specified number of times in a row within a specified time period, its account locks and cannot be logged onto. Accounts can unlock after a period of time, or administrators can designate that only they can unlock an account.
The locking parameters and the complexity of an accountís password (like its length and the kinds of characters from which itís drawn) together determine the probability that it can be guessed. For example, a locking period of 6 tries in ? hour with a ? hour healing time means a penetrator can guess a maximum of 5 times per hour, or 120 times a day. Couple this with a password complexity of, say, 6 characters randomly drawn from lower-case alphabetics means the chances of someone guessing the password at this maximum rate for 1 month is about 1/100,000. This is the number you should care about. Raw password size is itself no measure of security.
Note that locking protection also applies to secondary logons. A remote user can lock your domain account by attempting to remotely access any computer on which that account is visible, preventing you from logging on anywhere. No security comes without a cost. Being an administrator means seeking the appropriate balance.
One exception to locking is that the local Administrator account never locks. Give it a nice, long, random password that you write down and lock up. Use this account only for "emergency" situations. Use instead other administrative accounts (which do lock) in day-to-day operations. Common advice worth continually repeating. The Windows NT 4.0 Resource Kit contains a utility that also locks the Administrator account except for local logons on domain controllers. A great idea but not really necessary if this account has a nice, long, random password
Internet FAQ top