appendixa-securitygrouppolicysettings(编辑修改稿)

appendixa-securitygrouppolicysettings(编辑修改稿)内容摘要：

for the configuration remendation of each setting. Table A2. Windows Server 2020 Password Policy Setting Remendations Setting EC domain policy SSLF domain policy Enforce password history 24 passwords remembered 24 passwords remembered Maximum password age 90 days 90 days Minimum password age 1 days 1 days Minimum password length 8 characters 12 characters Password must meet plexity requirements Enabled Enabled Store passwords using reversible encryption Disabled Disabled 4 Windows Server 2020 Security Guide Enforce password history This policy setting determines the number of renewed, unique passwords that must be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Server 2020 is 0 passwords, but when the server is joined to a domain, the default setting is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their passwords. Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 1 to 999 days. (You can also set the value to 0 to specify that passwords never expire.) The default value for this policy setting is 42 days. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or fetting which password is current. Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The value for the Minimum password age setting must be less than the value specified for the Maximum password age setting, unless the value for the Maximum password age setting is configured to 0, which causes passwords never to expire. If the value for the Maximum password age setting is configured to 0, you can configure the value for this policy setting to any value between 0 and 999. To make the Enforce password history setting effective, you should configure this setting with a value that is greater than 0. If you configure the Minimum password age setting to 0, users can cycle through passwords repeatedly until they can reuse an old favorite. Minimum password length This policy setting determines the least number of characters that can make up a password for a user account. There are many different theories about how to determine the best password length for an anization, but perhaps pass phrase is a better term than password. In Windows 2020 and later versions, pass phrases can be quite long and can include spaces. Therefore, a phrase such as I want to drink a $5 milkshake is a valid pass phrase。 it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Remember that users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. Password must meet plexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this policy setting in Windows Server 2020 is configured to Disabled, but it is set to Enabled in a Windows Server 2020 domain for both environments described in this guide. 错误 !使用“开始”选项卡将 Heading 1,h1 应用于要在此处显示的文字。 5 When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:  Passwords cannot contain the user39。 s account name or parts of the user39。 s full name that exceed two consecutive characters.  Passwords must be at least six characters in length.  Passwords must contain characters from three of the following four categories:  English uppercase characters (A through Z).  English lowercase characters (a through z).  Base 10 digits (0 through 9).  Nonalphabetic characters (for example, !, $, , %). Each additional character in a password increases its plexity exponentially. For instance, a sevencharacter, all lowercase alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible binations. At 1,000,000 attempts per second (a capability of many passwordcracking utilities), it would only take 133 minutes to crack such a password. A sevencharacter alphabetic password with case sensitivity has 527 binations. A sevencharacter casesensitive alphanumeric password without punctuation has 627 binations. An eightcharacter password has 268 (or 2 x 1,011) possible binations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as ! or @. Proper use of the password settings helps to prevent the success of a brute force attack. Store passwords using reversible encryption This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user39。 s password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. For this reason, you should enable this policy setting only when application requir。