Local Security Policy allows enforcing many system, user and security-related settings, such as password policy, audit policy and user rights. Event Viewer can then be used to check log events. By default, most settings in Windows are fine, but some still need adjustment.
Sadly, Microsoft decided not to add the Local Security Policy console into home versions of Windows, so this article may safely be skipped by users of Windows Starter, Home, Home Basic and Home Premium editions.
In Windows 8, most account security settings affect Local accounts only, not Microsoft accounts. See the User management in Windows article for differences between these sign in options.
Please change only the settings listed in this article, other settings could very well make your computer inoperable or inaccessible by other computers in your home network in case you do not know what you're doing.
If you do decide to dig a little deeper, read a setting's description on Explain tab thoroughly before changing it!
Opening Local Security Policy console in Windows
In all non-home versions of Windows, open Run dialog using keyboard shortcut Windows Key+R. Type secpol.msc and click OK. Windows Vista and 7 users can also type this into Start menu Search box and press Enter.
Please note that in Windows 8, Local Security Policy is available in Start screen search results only if you have enabled the displaying of Administrative Tools.
Touch screen users can swipe in from the right edge of screen, tap Search, type a part of "administrative tools" into Search box and click the result. Then open Local Security Policy from the window.
Windows Vista will open another hot and sexy User Account Control dialog. Click Continue to open the console.
There is also a much more detailed configuration console available - Local Group Policy. To access this, open Run dialog using keyboard shortcut Windows Key+R, type gpedit.msc and click OK.
Settings described below are in Computer Configuration, Windows Settings, Security Settings section of Local Group Policy console window.
Again, please do not change any settings not described below unless you really know what you are doing. Always read the setting explanation thoroughly!
Defining a Password Policy in Windows
If you want to make sure that you and other users of your computer have secure passwords and that passwords are changed after defined number of days, you need to set up a password policy.
Expand Account Policies and click Password Policy on the left side of Local Security Settings window. Double-click Enforce password history on the right side of the window.
This setting defines how many previously used passwords Windows remembers for each user to prevent frequent re-usage of passwords. Usually, 3-5 is enough. Click OK to close the dialog.
Now change other settings of Password Policy by double-clicking on them (settings not listed below are fine by default):
- Maximum password age - default is "42". This specifies how long a user can use the same password for his/her Windows account.
You can set the number higher if you want to ("90" is a suggested one), but keep in mind that you should change your password at least once a year, so do not enter more than "365" here. - Minimum password age - default is "0", meaning that users can change their passwords whenever they like. If you set this to "1", it means that a password must be in effect for at least 1 day (24 hours) before a user can change it again.
- Minimum password length - set to "8". This means that a password must be at least 8 characters long.
- Password must meet complexity requirements - set to "Enabled". This means that a password must include at least two opposite case letters, a number and a special character (punctuation marks, for example).
This is a very important step in keeping user accounts secure in Windows. - Store passwords using reversible encryption - always leave to "Disabled". If you enable this policy, all users' passwords are easy to crack.
The next time a user changes his/her password, it must be in accordance with Password Policy. If not, an error message will be displayed:
User must then enter a password that satisfies the Password Policy requirements.
The current passwords are not affected by the policy; requirements are checked only when changing a password. The only change that does apply is maximum password age - the current passwords will have to be changed after specified number of days.
You can read instructions on creating and remembering strong passwords in the Passwords article.
Defining an Account Lockout Policy
A strong password is good, but when a malicious program (or someone behind your keyboard) is trying to break your password, the attempts must be stopped quickly. By default, anyone or anything can enter any password any number of times without getting stopped by Windows. Such behavior is called brute-force attack and you can stop it by creating an Account Lockout Policy - when a user enters a wrong password several times, the account will be locked out for a specified period of time. The user then cannot log on during this time. Every attempt to login during the lockout period extends the period.
Expand Account Lockout Policy on the left and double-click Account lockout threshold:
Specify the number of times a user can enter a wrong password before Windows locks the user account. I recommend using "5" for this.
Click OK.
Next, Windows offers default settings for Account lockout duration and Reset account lockout counter after settings. These settings specify for how long a user account stays locked after entering a wrong password too many times (during that time, the user cannot log on to the computer) and after which period of time the count of wrong passwords entered will be set back to zero.
The defaults are fine, click OK.
Defining an Audit Policy
The next article, Event Viewer, tells how to track successful and failed logons, password change attempts and policy changes. Before this can be done, Audit Policy must be in place.
Expand Local Policies on the left side and click Audit Policy. Double-click the first item, Audit account logon events.
Check both Success and Failure boxes, then click OK.
Adjust other Audit Policy settings as on the image below:
These settings define that we want to audit all events related to users logging on and off, all events related to account management (creating, deleting and changing user accounts), policy changes (the things we do in this article) and failures of system events (drivers, services, etc not starting or failing), process tracking and privilege use (possible security breaches). We do not need to audit object access, as this generates loads of useless events in Event Viewer. Directory service access is for domain servers only, so we do not need this either.
Applying changed settings in Local Security Policy
Other settings in Local Security Policy are good by default, so we just need to apply the policies we changed (again, do not mess with settings not described here, they can easily make your computer inoperable and ruin your day or even week!).
To do that, right-click on the Security Settings on the top of the left pane and click Reload.
You can now close Local Security Settings window and read on to find out about tracking system and security events using Event Viewer.
In case you used Local Group Policy console instead, it is best to restart your computer for all changes to take effect.
