Recommended Settings
| Policy | Recommended Settings | Information |
| Account lockout duration | 10 minutes | Once the maximum limit of the experiment is reached, the account will be locked for 10 minutes before it can be tried again. |
| Account lockout threshold | 10 Experiments | Allows legitimate users to make some mistakes without being locked out, but restricts attackers. |
| Reset account lockout counter | 10 minutes | Sets the time at which the number of failed attempts will be reset if there are no new attempts within the period. |
Steps to Implement Local Account Policies
Implementing good local account policies is essential to improve system security. Here are the steps you can take to enforce this policy, either by using Group Policy for domain-connected computers or by using Local Security Policy for local configurations.
1. Using Group Policy for Computers Connected to Domains
For domain-connected computers, administrators can leverage Group Policy to centrally set local account policies. Here are the steps:
- Access Group Policy Management Console (GPMC) on a server or computer with administrative access rights.
- Select the appropriate organizational unit (OU) and create a new GPO or edit an existing one.
- Inside the GPO, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies.
- Adjust settings such as Password History, Maximum Password Age, Minimum Password Length, and Account Lockout Threshold according to safety recommendations.
2. Configure Local Policies with Local Security Policy
For computers that are not connected to a domain, administrators can use Local Security Policy to set local account policies. Here are the steps:
- Type secpol.msc in the Run (Windows + R) window and press Enter.
- Inside Local Security Policy, navigate to Security Settings -> Account Policies.
- Adjust the settings as in the Group Policy, including settings for passwords and account lockouts.
3. Policy Adjustment According to Company Needs
Once the basic policy is in place, it is important to tailor the policy according to the specific needs of the company. Some of the adjustment steps include:
- Conduct a risk analysis to determine the required level of security based on the sensitive data managed by the company.
- Engage stakeholders from different departments to understand their needs regarding access and security.
- Before implementing a policy broadly, test it on a small group of users to ensure that it doesn’t interfere with productivity.
- Policies should be reviewed regularly and updated by technological developments and new security threats.
Improves Local Account Security
Improving the security of local accounts is essential to protect the system from cyberattacks. Here are some steps you can take to strengthen the security of your local account:
1. Enable Multi-Factor Authentication (MFA)
Autentikasi multifactor (MFA) is a method that requires more than one way to verify identity before accessing an account. By enabling MFA, users must do more than just enter a password, such as:
- Use an authenticator app to get the code.
- Receive the code via SMS or email.
- Use biometric features such as fingerprints or facial recognition.
Implementing MFA can significantly reduce the risk of unauthorized access, even if the user’s password is successfully guessed by an attacker.
2. Use Irreversible Password Encryption
It is important to keep passwords safe. Using irreversible encryption is the best way to manage passwords. This means that passwords are stored in hashed form, so they cannot be restored to their original form. Some important things about password encryption:
- Hashing: This process converts the password into a permanent string of characters that cannot be reversed.
- Use powerful hashing algorithms such as bcrypt, Argon2, or PBKDF2 to improve the security of password storage.
- Don’t use reversible encryption as this could allow an attacker to regain the original password if they manage to access the database.
3. Align Password Policy with Azure Active Directory
Aligning local password policies with policies in Azure Active Directory (Azure AD) is important to maintain consistency in identity and access management. Some steps that can be taken are:
- Make sure that policies in Azure AD include conditions such as minimum password length, complexity, and expiration date.
- Use features like Conditional Access and Identity Protection to add an extra layer of security for users.
- If you’re using synchronization between on-premises Active Directory and Azure AD, make sure that the policies in both environments are mutually supportive and don’t conflict.