File System; Administrator Account; Set Strong Password And Lockout Policies - Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE 13.0 Configuration Manual

Securing Windows Server 2003 tasks

File system

Ensure the file system for all hard disks is NTFS. Avoid using FAT, FAT 32 or FAT 32x file systems, as
these file systems do not support the same level of access control and security that the NTFS does.
This relates to all partitions on the server and not just the boot partition.

Administrator account

Password - Make sure that the administrator account has a strong password. A strong password is a
long pass phrase that combines upper and lower case letters, numbers and symbols.
Rename the administrative account - Rename the administrator account to a less obvious name,
and delete or change its description. Even though this will not stop all hackers, it makes their job more
difficult.
Create a dummy administrator account - It is also a good idea to create a dummy administrator
account in addition to the true administrator account. When creating the dummy administrator remove
any privileges associated with the account and set a long and complex password. Finally, take away
all associated privileges by removing the dummy administrator
has been created. Make sure the Event Log is checked regularly for any attempts to use the dummy
2
administrator account.

Set strong password and lockout policies

To change the password policies go to Windows Start > Control Panel > Administrative Tools >
Local Security Policy.
Note: Domain level policy settings may override these settings.
Password rules - Choose Account Policies >Password Policy, and apply the following changes:
Set the Minimum password length to at least 8 characters
Set the Minimum password age to at least 1 day
Set the Maximum password age to no more than 180 days
Set the Enforce password history to at least 5
This forces the administrator to change the password every 180 days, ensures the previous five
passwords cannot be reused and that passwords cannot be changed more than once a day.
Account lockout policy – Choose Account Policies > Account Lockout Policy, and apply the
following changes:
Set the Account lockout threshold to no more than 3
Set the Account lockout duration to at least 15 minutes
Set the Reset Account lockout counter after to at least 15 minutes
This will disable any account for at least 15 minutes if the number of login attempts to the said account
exceeds 3. This will deter hackers from using brute force attacks on the accounts.
1
Your newly created administrator account, not the inbuilt account supplied by Windows as this has now been
renamed.
2
Setting up the logging is described in section Error! Reference source not found..
Cisco TMS Secure Server Configuration Guide 13.0
Securing Windows Server 2003 tasks
1
account from the User group after it
Page 9 of 34