Refresh security baseline

2025-06-19 12:23:37 +00:00 · 2023-06-07 11:45:54 -04:00
parent ea99de5890
commit 0a782b349c
2 changed files with 81 additions and 103 deletions
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@ -1,93 +1,81 @@
 ---
 title: Configure security policy settings
 description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
 ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320
 ms.reviewer: 
 ms.author: vinpa
 ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
 ms.collection:
-  - highpri
+- highpri
-  - tier3
+- tier3
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/07/2023
-ms.technology: itpro-security
+appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Configure security policy settings
-**Applies to**
+This article describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
 -   Windows 11
 -   Windows 10
 Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
 You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
 When a local setting is inaccessible, it indicates that a GPO currently controls that setting.
-## <a href="" id="bkmk-local"></a>To configure a setting using the Local Security Policy console
+## To configure a setting using the Local Security Policy console
-1.  To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
+1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
-2.  Under **Security Settings** of the console tree, do one of the following:
+1. Under **Security Settings** of the console tree, do one of the following:
   - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
   - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
 1. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
 1. Modify the security policy setting, and then select **OK**.
-    -   Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+> [!NOTE]
-    -   Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+>
 > - Some security policy settings require that the device be restarted before the setting takes effect.
 > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-3.  When you find the policy setting in the details pane, double-click the security policy that you want to modify.
+## To configure a security policy setting using the Local Group Policy Editor console
 4.  Modify the security policy setting, and then click **OK**.
    > [!NOTE]
    > -   Some security policy settings require that the device be restarted before the setting takes effect.
    > -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 ## <a href="" id="bkmk-domain"></a>To configure a security policy setting using the Local Group Policy Editor console
 You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
-1.  Open the Local Group Policy Editor (gpedit.msc).
+1. Open the Local Group Policy Editor (gpedit.msc).
-2.  In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+1. In the console tree, click **Computer Configuration**, select **Windows Settings**, and then select **Security Settings**.
-3.  Do one of the following:
+1. Do one of the following:
   - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
   - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
 1. In the details pane, double-click the security policy setting that you want to modify.
-    -   Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+   > [!NOTE]
-    -   Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+   > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-4.  In the details pane, double-click the security policy setting that you want to modify.
+1. Modify the security policy setting, and then select **OK**.
    > [!NOTE]
    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
 5.  Modify the security policy setting, and then click **OK**.
 > [!NOTE]
 > If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
-## <a href="" id="bkmk-dc"></a>To configure a setting for a domain controller
+## To configure a setting for a domain controller
 The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).
-1.  To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
-2.  Do one of the following:
+1. Do one of the following:
-    -   Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
+   - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
-    -   Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+   - Select **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
-3.  In the details pane, double-click the security policy that you want to modify.
+1. In the details pane, double-click the security policy that you want to modify.
-    > [!NOTE]
+   > [!NOTE]
-    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
+   > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-4.  Modify the security policy setting, and then click **OK**.
+1. Modify the security policy setting, and then select **OK**.
 > [!IMPORTANT]
-> -   Always test a newly created policy in a test organizational unit before you apply it to your network.
+>
-> -   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+> - Always test a newly created policy in a test organizational unit before you apply it to your network.
 > - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
-## Related topics
+## Related articles
 - [Security policy settings reference](security-policy-settings-reference.md)
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@ -1,30 +1,22 @@
 ---
 title: Password must meet complexity requirements
 description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
 ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe
 ms.reviewer: 
 ms.author: vinpa
 ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
 ms.collection:
-  - highpri
+ - highpri
-  - tier3
+ - tier3
 ms.topic: conceptual
-ms.technology: itpro-security
+ms.date: 06/07/2023
 ms.date: 12/31/2017
 ---
 # Password must meet complexity requirements
 **Applies to**
-   Windows 11
+-  Windows 11
-   Windows 10
+-  Windows 10
 Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
@ -32,41 +24,39 @@ Describes the best practices, location, values, and security considerations for
 The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
-1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
+1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
-    The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
+   The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
    The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
-2.  The password contains characters from three of the following categories:
+2. The password contains characters from three of the following categories:
-    -   Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
+   - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
-    -   Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
+   - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
-    -   Base 10 digits (0 through 9)
+   - Base 10 digits (0 through 9)
-    -   Non-alphanumeric characters (special characters): 
+   - Non-alphanumeric characters (special characters): ``(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)``
-        (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)
+     Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
-        Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
+   - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
    -   Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
 Complexity requirements are enforced when passwords are changed or created.
-The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they can't be directly modified.
+The rules that are included in the Windows Server password complexity requirements are part of `Passfilt.dll`, and they can't be directly modified.
 When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it.
-Other settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
+Other settings that can be included in a custom `Passfilt.dll` are the use of non-upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
 ### Possible values
-   Enabled
+- Enabled
-   Disabled
+- Disabled
-   Not defined
+- Not defined
 ### Best practices
 > [!TIP]
 > For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
-Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
 The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that don't add more complexity to the password.)
@ -74,20 +64,20 @@ Short passwords that contain only alphanumeric characters are easy to compromise
 ### Location
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+`Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy`
 ### Default values
 The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
-| Server type or Group Policy Object (GPO) | Default value |
+| Server type or Group Policy Object (GPO)           | Default value |
-|---|---|
+|----------------------------------------------------|---------------|
-| Default domain policy | Enabled |
+| Default domain policy                              | Enabled       |
-| Default domain controller policy | Enabled |
+| Default domain controller policy                   | Enabled       |
-| Stand-alone server default settings | Disabled |
+| Stand-alone server default settings                | Disabled      |
-| Domain controller effective default settings | Enabled |
+| Domain controller effective default settings       | Enabled       |
-| Member server effective default settings | Enabled|
+| Member server effective default settings           | Enabled       |
-| Effective GPO default settings on client computers | Disabled |
+| Effective GPO default settings on client computers | Disabled      |
 ## Security considerations
@ -107,9 +97,9 @@ When combined with a [Minimum password length](minimum-password-length.md) of 8,
 If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to follow the complexity requirement with minimal difficulty.
-If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
+If your organization has more stringent security requirements, you can create a custom version of the `Passfilt.dll` file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
-The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
+The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
 ## Related articles