Configuring password policies
If you allow access to the server from the Internet, it is strongly recommended that you enforce the use of strong passwords. Using strong passwords provides an additional layer of defense against an unauthorized user gaining access to your network. A strong password meets the following requirements:
- Does not contain all or part of the user's account name.
- Contains at least six characters.
- Contains characters from three of the following four categories:
- English uppercase characters (A through Z).
- English lowercase characters (a through z).
- Numbers (0 through 9).
- Non-alphanumeric characters (for example, !, $, #, %).
Windows Small Business Server 2003 allows you to configure strong password policies on your local network. You are prompted to enable strong passwords after running the Configure E-mail and Internet Connection Wizard or the Remote Access Wizard if the password policies are not enabled. You can also enable or change password policies by clicking Configure Password Policies from the Manage Users taskpad in Server Management. For more information, see Configure password policies.
Windows Small Business Server password policies
By default, all password policies are disabled so that you can use simple or blank passwords while configuring the client computers during the initial stages of deployment.
You are prompted to enable strong passwords after completing the Connect to the Internet task on the To Do List. You can choose to enable the password policies immediately or after a specified period of time. The default value for enabling the password policy is 3 days. This means that when the policy is applied, it does not take effect for three days. If you delay the enabling of password policies for a few days, it simplifies the process of setting up user accounts and client computers because you can work on the client computers without the password policy restrictions. To complete the configuration of client computers, you typically must log on to each client computer. If you chose to enable password policies immediately, you must use strong passwords to log on to each client computer.
After you enable or change password policies, all users are required to change their passwords the next time they log on. For information about password policies that are set by using Configure Password Policies, see Configure password policies.
After you create the password policy, you need to tell your users about what it is.
Educating users about strong passwords
After implementing a strong password policy, educate users about good and bad passwords. Remind users that the best password is useless if it is written on a note and placed on the monitor.
General password recommendations
A password should not contain:
- A user's name or e-mail alias
- The name of the user's child, parent, spouse, or friend
- Any word found in a dictionary
- An old password which is reused just by appending numbers
- A birth date
- A phone number
- A social security number or other identification number
- Any easily obtained personal information
Recommendations for protecting the Administrator account password
Because the Administrator account is a well-known and powerful account, it is recommended that you do the following:
- Use a strong password at all times.
- Log on with your user account, not with the Administrator account.
- Never leave a computer unattended while you are logged on.
- Do not give others the password for the Administrator account.