Locking down password changes
Another step you can take to improve security and also cut down on help desk calls is to prevent users from changing their passwords until prompted to do so when the password expires.
This may not seem like a necessary security measure, but consider what could happen if a user's password were stolen or hacked. The unauthorised user could then immediately change the user's password and effectively lock that person out of the network.
By preventing such password changes, you can thwart hackers or others from hijacking user accounts and you can also cut down on the number of calls the help desk receives from users who have changed their passwords and forgotten the new one.
There are two different ways you can lock down users from changing their passwords unless prompted by Windows-individually via a registry setting or globally via a Group Policy setting.
Perform the following steps to require a system prompt for password changes for a group of users:
- Start the Microsoft Management Console (MMC) by choosing Start | Run, typing mmc, and clicking OK.
- On the File menu, choose Add/Remove Snap-in | Add | Active Directory Users and Computers | Add.
- Click Close and then OK. The left pane will display the new snap-in.
- Expand the snap-in, select the group to which the policy applies, right-click, and choose Properties.
- On the Group Policy tab, select the Group Policy Object and click Edit. If no policies are listed, click New to create a new policy and then click Edit.
- Expand the policy folder and then expand the subfolders down to System.
- Select Logon/Logoff.
- Right-click the Disable Change Password policy and then choose Properties.
- On the Policy tab, select the Enabled option and then click OK.
- Close the Group Policy window and then close the console.
- At the command prompt, type the following: Secedit /refreshpolicy user_policy /enforce
- Press [Enter].
To enforce the same password policy for individual users, perform the following procedures to configure the option in the registry:
- Run the Registry Editor.
- Navigate to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
- Click the System key. If the System key does not exist, create it by choosing Edit | New and then selecting Key. This will create a new folder called New Key #1. Rename the key to System.
- Select the System and then choose Edit | New | DWORD Value.
- Type DisableChangePassword.
- Press [Enter].
- Double-click the new key.
- Change the value setting to 1.
- Click OK.
- Close Regedit.
For additional details on setting this password policy, see Microsoft Knowledge Base article 309799.
Securing data
These tips are simple steps you can take to restrict access to sensitive data and better secure your network. They take little time and effort to implement and can protect your organization's data.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
7%
3%
