Understanding the notion of policy

Security policy is the set of all security rules that are to be implemented in an organisation, and the ways in which they are implemented. The user manager located in the Start Menu (Programs/Administration tools) contains the Policy tag, which includes three elements:

• Account Policy, with options (check-box or radio buttons) for user connections (options for passwords)
• User Rights Policy, which defines the permissions granted to each type of user
• Audit Policy, which defines which events are to be recorded in a log file that can then be viewed with the Event Viewer.

Account Policy

Account Policy is used for selecting password options.

Every account requires a password to access network resources. Some rules are in place to guarantee the best possible security.

• Assign a password to the Administrator account in order to prevent use of that account by an unauthorised person.
• Determine who controls passwords. It is possible to assign a unique password to a user or give him or her the capability to change it after logging in for the first time, which allows the user to choose his or her own password.
• Determine if an account should expire. It is helpful to create temporary accounts for temporary employees.
• Avoid using obvious passwords (like the name of a parent or a pet)
• Use a long password (up to 14 characters)
• Alternate uppercase and lowercase. Passwords are case-sensitive.

The first section of the dialog box is for users' passwords. Passwords are a gateway into the system's security, so it is essential to encourage users to choose passwords that are at least somewhat difficult to guess.

Here are the options offered:

• Password Restrictions
  • Maximum Password Age defines the length of time that the user may use the password before being required to change it.
  • Minimum Password Age prevents a user from changing the password too often.
  • Minimum Password Length ensures that the password is long enough to stop attempted intrusions.
  • Password Uniqueness: This option keeps a log file of all different passwords used, in order to force the user to choose an entirely new one when needed.
• Account lockout
  • Lockout duration
  Determines the number of consecutive failed login attempts before the system blocks the account, and the conditions for unblocking it (a length of time or administrator intervention).
• The user must change his or her password the next time he or she logs in. The user is also supposed to change the password the first time he or she logs in. This ensures that the user is the only person who knows the password.
• User cannot change password: If several people use the same user account, or if you want to retain control over passwords.
• Password never expires: The password may not change. This option has priority over the first.
• Account deactivated: For temporarily suspending an account.

User Rights Policy

User Rights Policy defines which permissions are granted to each type of user in the system.

Audit Policy

Audit Policy is used to audit certain events (meaning that it records them on the hard drive), or more precisely, to check whether certain system events have succeeded or failed.

Audit Policy appears as a dialog box where an administrator can simply check or uncheck boxes to set the desired policy.

Last update on Thursday October 16, 2008 02:43:16 PM.This document entitled « Security Policies in Windows NT » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.