Local Security Policy in Windows

Content

Tip: keyboard shortcut Ctrl+F searches in the page contents

Local Security Policy in Windows

In this tutorial: How to change most important Local Security Policy settings in Windows XP, Vista and 7

Last modified: 2011-12-29 13:59:08 EET

Local Security Policy allows enforcing many system, user and security-related settings, such as password policy, audit policy and user rights. By default, most settings in Windows are fine, but some still need adjustment.

Sadly, Microsoft decided not to add the Local Security Policy console into home versions of Windows, so this article may safely be skipped by users of Windows' Starter, Home, Home Basic and Home Premium editions.

Please change only the settings listed in this article, other settings could very well make your computer inoperable or inaccessible by other computers in your home network in case you do not know what you're doing.
If you do decide to dig a little deeper, read a setting's description on Explain tab thoroughly before changing it!

Opening Local Security Policy console in Windows

Windows XP users should use keyboard shortcut Windows Key+R to open the Run dialog.
Windows Vista and 7 users should open Start menu by clicking Start button or pressing Windows Key (or Ctrl+ESc) on keyboard.
Type "gpedit.msc" into Run dialog or Start menu Search box and click OK or gpedit.msc.
Windows XP, Run dialog. To open Local Security Policy console, type gpedit.msc. Then click OK. Windows 7, Start menu. To open Local Security Policy, type gpedit.msc into Search box. Then click the result.

Windows Vista will open another hot and sexy User Account Control dialog. Click Continue to open the console.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

Defining a Password Policy in Windows

If you want to make sure that you and other users of your computer have secure passwords and that passwords are changed after defined number of days, you need to set up a password policy.

Expand Account Policies and click Password Policy on the left side of Local Security Settings window. Double-click Enforce password history on the right side of the window.
Windows XP, Local Security Policy. To define a Password Policy, expand Account Policies and click Password Policy.

This setting defines how many previously used passwords Windows remembers for each user to prevent frequent re-usage of passwords. Usually, 3-5 is enough. Click OK to close the dialog.
Windows 7, Local Security Policy, Password Policy - Enforce password history. Password history prevents users from re-using their previously used passwords. Type 3 and click OK button.

Now change other settings of Password Policy by double-clicking on them (settings not listed below are fine by default):

Maximum password age - default is "42". This specifies how long a user can use the same password for his/her Windows account.
You can set the number higher if you want to ("90" is a suggested one), but keep in mind that you should change your password at least once a year, so do not enter more than "365" here.
Minimum password length - set to "8". This means that a password must be at least 8 characters long.
Password must meet complexity requirements - set to "Enabled". This means that a password must include at least two opposite case letters, a number and a special character (punctuation marks, for example).
This is a very important step in keeping user accounts secure in Windows.
Store passwords using reversible encryption - always leave to "Disabled". If you enable this policy, all users' passwords are easy to crack.

The next time a user changes his/her password, it must be in accordance with Password Policy. If not, an error message will be displayed:

User must then enter a password that satisfies the Password Policy requirements.
The current passwords are not affected by the policy; requirements are checked only when changing a password. The only change that does apply is maximum password age - the current passwords will have to be changed after specified number of days.
You can read instructions on creating and remembering strong passwords in the Passwords article.

Defining an Account Lockout Policy

A strong password is good, but when a malicious program (or someone behind your keyboard) is trying to break your password, the attempts must be stopped quickly. By default, anyone or anything can enter any password any number of times without getting stopped by Windows. Such behavior is called brute-force attack and you can stop it by creating an Account Lockout Policy - when a user enters a wrong password several times, the account will be locked out for a specified period of time. The user then cannot log on during this time. Every attempt to login during the lockout period extends the period.

Expand Account Lockout Policy on the left and double-click Account lockout threshold:
Windows Vista, Local Security Policy - Account Lockout Policy. Double-click Account lockout threshold.

Specify the number of times a user can enter a wrong password before Windows locks the user account. I recommend using "5" for this.
Click OK.
Windows 7, Local Security Policy - Account Lockout threshold Properties. Specify Account lockout threshold - the number of times a user can enter a wrong password before the account is locked. 5 is recommended. Then click OK.

Next, Windows offers default settings for Account lockout duration and Reset account lockout counter after settings. These settings specify for how long a user account stays locked after entering a wrong password too many times (during that time, the user cannot log on to the computer) and after which period of time the count of wrong passwords entered will be set back to zero.
The defaults are fine, click OK.
Windows 7, Local Security Policy - Account Lockout Policy, Suggested Value Changes. After specifiying Account lockout threshold, Windows offers default values for Account lockout duration and Reset account lockout counter after settings. Defaults are good, click OK.

Defining an Audit Policy

The next article, Event Viewer, tells how to track successful and failed logons, password change attempts and policy changes. Before this can be done, an Audit Policy must be in place.

Expand Local Policies on the left side and click Audit Policy. Double-click the first item, Audit account logon events.
Check both Success and Failure boxes, then click OK.
Windows 7, Local Security Policy - Audit Policy, Audit account logon events Properties. Check both Success and Failure boxes. Click OK.

Adjust other Audit Policy settings as on the image below:
Windows 7, Local Security Policy - Audit Policy. Suggested auditing settings for Windows.

These settings define that we want to audit all events related to users logging on and off, all events related to account management (creating, deleting and changing user accounts), policy changes (the things we do in this article) and failures of system events (drivers, services, etc not starting or failing), process tracking and privilege use (possible security breaches). We do not need to audit object access, as this generates loads of useless events in Event Viewer. Directory service access is for domain servers only, so we do not need this either.

Applying changed settings in Local Security Policy

Other settings in Local Security Policy are good by default, so we just need to apply the policies we changed (again, do not mess with settings not described here, they can easily make your computer inoperable and ruin your day or even week!).

To do that, right-click on the Security Settings on the top of the left pane and click Reload.
Windows XP, Local Security Policy. To apply changed settings, right-click on Security Settings on the top of left pane and click Reload.