Changing Password Policies on Windows Server

Published on 2022-01-11

Category: Miscellaneous

Don’t be this person and don’t let those around you become this person. I know that it can be a real drag when it comes to remembering longer and more complex passwords, but security is majorly important in this day and age. In this blog, I’ll be walking you through how to change password policies on Windows Server so that you can make sure that those in your network will make stronger passwords.

Pre-requisites

Before we begin, ensure you have the following:

Step-by-Step Guide

  1. Select “Tools” on the upper right side of the Server Manager interface and select “Group Policy Management.”

  2. Within the Group Policy Management window, right-click on your domain and select “Edit…”

  3. Now, we want to get to the “Password Policy” section. To get there, follow the appropriate path based on your Windows Server version:

    • For Windows Server 2012:

      Computer Configuration ➤ Policies ➤ Windows Settings ➤ Security Settings ➤ Account Policies ➤ Password Policy

    • For Windows Server 2016:

      Computer Configuration ➤ Policies ➤ Windows Settings ➤ Security Settings ➤ Account Policies ➤ Password Policy

    • For Windows Server 2019:

      Computer Configuration ➤ Policies ➤ Windows Settings ➤ Security Settings ➤ Account Policies ➤ Password Policy

  4. There are several policies that we can configure. To edit each one, double-click on the policy. Here's a quick rundown of each password policy listed (example based on Windows Server 2016):

    • Enforce password history: This policy remembers the past 24 passwords that a user has used. This ensures that users cannot reuse recent passwords, enhancing security.
    • Maximum password age: This policy sets the maximum number of days that a password can be used before it must be changed. A common setting is 30, 60, or 90 days.
    • Minimum password age: This sets the minimum number of days that a password must be used before it can be changed. Typically, this is set to one day to prevent users from changing their passwords too frequently.
    • Minimum password length: This determines the minimum number of characters required for passwords. Increasing this value forces users to create longer, more secure passwords.
    • Minimum password length audit: When enabled, this generates an audit event if a password's length is shorter than the minimum password length.
    • Password must meet complexity requirements: Enabling this policy forces users to create passwords that include at least three of the following categories:
      • Uppercase letters
      • Lowercase letters
      • Digits (0–9)
      • Nonalphanumeric characters (e.g., !, @, #)
      • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.
    • Store passwords using reversible encryption: Enabling this allows passwords to be stored in an encrypted state, which can be decrypted if necessary. However, for security reasons, it's recommended to keep this policy disabled unless explicitly required by an application.

Conclusion

Thank you for reading my first-ever blog post! Implementing strong password policies is a fundamental step in securing your network and protecting sensitive data. By following the steps outlined above, you can ensure that users within your organization create robust passwords, thereby enhancing your overall security posture. Please consider following my blog for more explanations on the latest security news and walkthroughs on security-related activities!