KLC Consulting, Inc.
IS / IT Security Services 

  KLC Consulting, Inc  
  Information Security  

Tel: 617-921-5410



About KLC



Trojan Analysis Security Resources Spoof MAC Address




KLC Consulting, Inc.




URL of this article:


Securing your Windows 2000, XP, and 2003 User Accounts and Passwords:

Here are some recommendations on your user account and password management.  Keep in mind that your security policies depend strictly on your business requirements!  Security and performance move inversely - the higher the security measures, the lower the performance and efficiency.

  1. Rename the default administrator account “Administrator” to something harder to guess.  This will prevent people from guessing your administrator account.  Make sure you remember the new administrator account and password.  You will need to login as local administrator to make any changes to the computer configuration, hardware and software installations.

    After you have renamed the administrator account, you should no longer see an account named “Administrator”.

    Next, create a decoy account.  Create a new user called “Administrator”, and make sure it does NOT belong to any groups.  In another words, when you click on the “Member of” tab in the user properties in the User Management window, you should not see any groups listed.  If you do, remove them.  This will make sure this decoy account named “Administrator” has no access to the server.

    If you have the Audit for logon/logoff turned on, you will be able to detect any logon/logoff activities by the decoy “Administrator” user account.  You can detect these activities by using Event Viewer to check Security Logs.  This will give you some indication of hacking activities.
  1. Make sure the passwords for Administrator and regular user accounts are changed every 30 – 90 days to increase server security.
  1. Password policies on the Windows 2000 should be changed from the default settings. 

Here are default password policy settings:

Enforce password history

1 passwords remembered

Maximum password age

42 days

Minimum password age

0 days

Minimum password length

0 characters

Passwords must meet complexity requirements


Store password using reversible encryption for all users in the domain



Here are the default Account Lockout policy settings:

Account lockout duration

Not defined

Account lockout threshold

0 invalid logon attempts

Reset account lockout counter after

Not defined


Here are some suggested settings for the password policy:  

MS = Microsoft     NSA = National Security Agency     NIST = National Institute of Standards and Technology


Ref. Values:

Rec. Value:


Enforce password history


12 passwords remembered

Users can not re-use passwords from the past 3 years

Maximum password age

MS:  42

90 days

User Must change passwords within 90 days.  Usually between 30 – 90 days.  Sys Admin can decide a reasonable value.

NSA:  42

SANS:  45-90

NIST: 90

Minimum password age

MS: 2

1 days

User can’t reset password within 1 days.  This will prevent intruders from constantly trying different passwords.

NSA: 2

SANS: 1 - 5


Minimum password length

MS: 8

8 characters

Usually between 6 – 12 characters.  6-8  characters is a more common length.

NSA: 12



Passwords must meet complexity requirements


Disabled (You decide)

If set with default passfilt.dll:

  • Passwords must be at least six characters long.
  • Passwords can't contain the user name.  For example, if a user's account is "bobm", he can't set his password as bobm, or bobxxx.
  • Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols (+,=,_,*,&,…).


Store password using reversible encryption for all users in the domain


Disabled (You decide)

Usually not set.  Learn more from the Microsoft link below.


Here are some suggested settings for the password policy:


Ref. Value:

Rec. Value:


Account lockout duration

MS: 0 (indefinite)

15 minutes

You must pre-determine the system administration costs to justify this value.  You can set to 30 minutes to automatically remove the lockout for accounts, however, most legitimate users will call you anyway when they get locked out.  Note: value “0” means to lockout indefinitely.  99999 minutes is the maximum number allowed for this policy. 

NSA: 15

SANS: 240

NIST: 15

Account lockout threshold

MS: 5

3 invalid logon attempts

Legitimate users should not have to try more than 3 times to get the right passwords.  If they do, the account will get locked out.  The system administrator can investigate this further to find the reason for the lockout.  If many legitimate users are getting locked out, then either this value may be modified accordingly, or someone may be trying to guess passwords to get into the network.  3 attempts is a common value for this policy.

NSA: 3



Reset account lockout counter after

MS: 30

15-30 minutes

The time required before resetting the counter for bad password attempts.  15 - 30 minutes lockout time is usually sufficient.  After this time, the counter for bad password attempts resets to 0.  For example, if this value is set to 15 minutes and a user tried 2 bad passwords to logon to his account at 12:00PM, Windows 2000 has a counter remembering that he has 2 bad password attempts.  At 12:16PM, this counter will be reset to 0.

NSA: 15

SANS: 240

NIST: 15


For more information on the settings, you can find details on Microsoft website: Creating User and Group Accounts


4.     Make sure users do NOT write down their passwords and post it on the computer monitor, keyboard, or under the desk.  You may laugh, but if you check your users, you will be surprised at the number of users who do this.  If they do need to write down their password for whatever reason, make sure the passwords are stored in a secure location, i.e. locked drawer.

5.     Make sure users do NOT share passwords with other people. 

6.     Make sure users do NOT reveal passwords to anyone other than the system administrators and people delegated by the system administrators.

7.     Enable logging for successful and failed logon/logoff events.  This shows you the activities on your system.

8.     If you are a system administrator for a business environment, make sure you set the local administrator account for the desktop users.  Users should NOT know the passwords for the local administrator account.

If you are a home user, make sure you have a strong password for your “Administrator” accounts.

Make sure “Administrator” accounts have NO BLANK PASSWORDS, and NO EASY TO GUESS PASSWORDS.  Many have discovered that several Trojans and worms tried to get into Windows 2000 systems with easy to guess passwords, e.g. “Administrator” account with BLANK password, “Administrator” account with “Administrator” as the password, “admin” account with “admin”,  “root” with “root”, and so on…  Be careful!  Many people don't set strong passwords, which is like leaving the door to your house open at night when you are sleeping!  Your password is your first line of defense.

For sample passwords that were included in some Trojans' password dictionaries, please refer to http://www.klcconsulting.net/mirc_virus_analysis.htm and http://www.klcconsulting.net/deloder_worm.htm


This should be a good start for good password management and user account policies.  Microsoft does provide some good security guidelines on Windows 2000, and you should definitely go over in more detail the recommendations of Microsoft.  Again, you can find more Account and Group account management from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/08w2kada.asp


·        Microsoft Security Best Practices on Windows 2000 servers - http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp 

·        Microsoft Solution Guide for Securing Windows 2000 Server - download

·        NSA Security Template - http://www.nsa.gov/snac/win2k/index.html 

·        NIST Security Template - http://csrc.nist.gov/itsec/guidance_W2Kpro.html 


About the Author:

Kyle Lai, CISSP, CISA, is the founder and Senior Security Engineer of  KLC Consulting, Inc. where he consults with clients on emerging security issues.  He has extensive knowledge and expertise on numerous security products, technologies, and architectures. Kyle's main areas of expertise include security risk assessments, vulnerability testing, virus analysis, security tools development, and security product analysis and research.  Kyle is also the co-author of the security utility SMAC.

About KLC Consulting:

KLC's mission is to provide a continuous effort to protect the confidentiality, integrity and availability of your corporate resources and data. Through each stage of the information security lifecycle, we help you prevent, detect, respond to, and resolve your enterprise security issues.

KLC encompasses security expertise in the MAC Address (Network Address) based Security, Networking and Application Security, Financial Institutions (GLBA), Healthcare (HIPAA) and Pharmaceutical (21 CFR Part 11), Vulnerability Management and Protection, Security Technologies Design and Implementation, and a full range of Professional Security Services.




Site Meter

Copyright © 2002-2011 KLC Consulting, Inc..
All rights reserved.