In a domain environment you may be asked to set some additional group policies in order to create a more secure environment for users. There are a few group policies that can really help the administrator out in Windows 2008 R2. These group policies are centered on enabling smart cards and setting security account policies in group policy.
Enabling Smart Cards for Dual Authentication
Enabling smart cards for dual authentication is a good idea when the administrator wants to beef up security in the domain environment. A smart card secure domain environment can stop hackers who have passwords from accessing sensitive information while not having physical access to machines and smart cards. Smart cards store an enhanced encrypted key on the card itself which is used to authenticate user credentials.
Enabling smart cards can either be done in a home pc environment or domain administrator environment. Either way, we will be dealing with group policy. For an administrator in a domain environment, they should open their default group policy or create a new group policy. For the user in a home environment wanting to enable smart cards, they should open the start menu and type in gpedit.msc. This will open the MMC with the local group policies.
From here, expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and click on the Security Options folder. There are two group policies we will be looking at with smart card authentication. These two group policies are:
- Interactive logon: Require smart card
- Interactive logon: Smart card removal behavior
The first group policy’s function is quite obvious: enable to require a smart card, or disable to not require a smart card for logging on. If the second group policy is enabled, it performs an action if the smart card has been removed from the computer. The actions a person can specify are:
- No Action
- Lock Workstation
- Force logoff
- Disconnect if a remote Remote Desktop Services session
Setting Security Account Policies for Users in a Domain
Account policies such as enforcing a minimum password length, and number of times a person can try to log in can be found in the group policy editor. In order to change these policies you should expand Computer Configuration, Windows Settings, Security Settings, and Account Policies. There are a variety of password management settings that can be set, such as password age and length, complexity, storing passwords using reversible encryption, and password history.
Account lockout policies determine what happens when a user tries to log on a certain number of times. In order to prevent the use of a brute force password cracking tool, it is a common practice to set the amount of times a user can logon before the system will not accept passwords for a period of time. For a domain that has set secure password policies, I know that for myself I would at least appreciate 10 tries before I am locked out of my account. That’s because we live in an age where we are constantly trying to keep track of different passwords and don’t always remember the right password to the right account, or the right account to the right password for that matter.
Because we live in a time where information is stored on machines that are theoretically accessible by anyone with the means and will, we need to ensure that only the right people can access these resources. Setting password policies and lockout policies can prevent password crackers from using tools like a brute force password cracking tool. A brute force password cracking tool is a program that uses a dictionary of possible passwords against an account. Dictionaries can be millions of different password possibilities and can crack an easy password relatively quickly. It is for this reason that these policies are a good idea to implement in any domain environment.
