Usernames and passwords are common credentials used during authentication. The username identifies the user, while the password is used for authentication to prove identity.
|Account lockout||Account lockout disables a user account after a specified number of incorrect logon attempts.
|Account restrictions||Account restrictions place restrictions upon the use of a user account for logon. For example, you can:
|Account (password) policies||Account policies control the composition and use of passwords.
Be aware of the following for controlling user account and password security:
- For large environments, implement a password management system with a self-service password reset management system. This allows users to change their own passwords and ensures that only they know them. In a system where administrators hand out passwords that users cannot change, passwords are very insecure. In this type of arrangement, no matter how complex the password may be, more than one person knows what it is, and that can affect the security of the system.
- Implement account auditing to track incorrect logon attempts. Small numbers of incorrect logon attempts occur naturally as users mis-type or forget passwords. Large numbers of incorrect logon attempts could identify a potential hacker trying to guess passwords.
- Scan systems to identify unused user accounts or accounts with blank passwords.
- When implementing account lockout and account policies on Microsoft systems:
- The local security policy controls policies for user accounts defined on a local system.
- Policy settings in Group Policy are linked to the domain control settings for all user accounts in the domain. Settings defined at other levels in Group Policy do not affect password or account lockout settings.
- Disable and/or remove unnecessary accounts installed on the operating system by default or specific user accounts which are no longer needed.