Audit and Configure Account Policies on Windows

Account Policies are settings related to

  • The Password Policy
  • The Account Lockout Policy

Configure

You can use Group Policy Editor to configure the account policy settings.

Audit

Verification of the local computer can be done via the commandline

PS C:\> net accounts
 
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 15
Lockout duration (minutes): Never
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.

Of the domain via the commandline.

PS C:\> net accounts /domain
The request will be processed at a domain controller for domain DOMAIN.LOCAL.
 
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 15
Lockout duration (minutes): Never
Lockout observation window (minutes): 30
Computer role: BACKUP
The command completed successfully.

Via Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows">
 
 
## Account Policies
## Password Policy
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Enforce password history' is set to '24 or more password(s)'"
 value_type : POLICY_DWORD
 password_policy : ENFORCE_PASSWORD_HISTORY
 value_data : [24..MAX]
 </custom_item>
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Maximum password age' is set to '60 or fewer days'"
 value_type : TIME_DAY
 password_policy : MAXIMUM_PASSWORD_AGE
 value_data : [1..60]
 </custom_item>
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Minimum password age' is set to '1 or more day(s)'"
 value_type : TIME_DAY
 password_policy : MINIMUM_PASSWORD_AGE
 value_data : [1..MAX]
 </custom_item>
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Minimum password length' is set to '14 or more character(s)'"
 value_type : POLICY_DWORD
 password_policy : MINIMUM_PASSWORD_LENGTH
 value_data : [14..MAX]
 </custom_item>
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
 value_type : POLICY_SET
 password_policy : COMPLEXITY_REQUIREMENTS
 value_data : "Enabled"
 </custom_item>
 
 <custom_item>
 type : PASSWORD_POLICY
 description : "Ensure 'Store passwords using reversible encryption' ito 'Disabled'"
 value_type : POLICY_SET
 password_policy : REVERSIBLE_ENCRYPTION
 value_data : "Disabled"
 </custom_item>
 
## Account Lockout Policy
 <custom_item>
 type : LOCKOUT_POLICY
 description : "Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
 value_type : TIME_MINUTE
 lockout_policy : LOCKOUT_DURATION
 value_data : [15..MAX]
 </custom_item>
 
 <custom_item>
 type : LOCKOUT_POLICY
 description : "Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
 value_type : POLICY_DWORD
 lockout_policy : LOCKOUT_THRESHOLD
 value_data : [1..10]
 check_type : CHECK_EQUAL
 </custom_item>
 
 <custom_item>
 type : LOCKOUT_POLICY
 description : "Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
 value_type : TIME_MINUTE
 lockout_policy : LOCKOUT_RESET
 value_data : [15..MAX]
 </custom_item>
 
 </group_policy>
</check_type>