From 897a039c68220672bba703146adf8d4a40ebefe3 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 13 Nov 2018 11:13:06 -0800 Subject: [PATCH 1/3] matched security baselines --- .../minimum-password-age.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 6028668431..9a76b98c21 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 11/13/2018 --- # Minimum password age @@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values @@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. -If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. +Setting the number of days to 0 allows immediate password changes, which is not recommended. +Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. +For example, suppose a password is “Ra1ny day!” and there’s a history requirement of 24. +The password is changed 24 times in a row until finally changed back to “Ra1ny day!”. +The minimum password age of 1 day prevents that. + +If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. +Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. ### Location @@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin ### Countermeasure -Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. +Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. ### Potential impact -If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. +If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. ## Related topics From 85d38fa9c880518ebd9787a421fa52f80ee97111 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 13 Nov 2018 11:14:35 -0800 Subject: [PATCH 2/3] edits --- .../security-policy-settings/minimum-password-age.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 9a76b98c21..6965e3f742 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: brianlic-msft +author: justinha ms.date: 11/13/2018 --- From 78410de96ef8303f4f4444678244f68df38b7977 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 13 Nov 2018 11:18:02 -0800 Subject: [PATCH 3/3] edits --- .../security-policy-settings/minimum-password-age.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 6965e3f742..ca6aedc5d8 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -34,7 +34,7 @@ The **Minimum password age** policy setting determines the period of time (in da Setting the number of days to 0 allows immediate password changes, which is not recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. For example, suppose a password is “Ra1ny day!” and there’s a history requirement of 24. -The password is changed 24 times in a row until finally changed back to “Ra1ny day!”. +If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to “Ra1ny day!”. The minimum password age of 1 day prevents that. If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.