Local account management is essential for enterprise administrators for security and access management. With cyber threats on the rise, organizations must ensure local accounts are properly managed to protect sensitive data and maintain system integrity.
Good management helps administrators control access to systems and applications through strict policies on passwords, access rights, and user activity monitoring. This reduces the risk of account abuse and ensures only authorized users can access important resources.
Poor policies can increase security risks, such as the use of weak passwords or the absence of account lockout after a failed login attempt, which creates opportunities for attackers. Without supervision, suspicious activity can occur undetected, potentially leading to data leaks or system damage.
Windows 11 provides security features to help administrators manage local accounts. Through Group Policy, administrators can establish strict security policies, including Password Policy and Account Lockout Policy, which protect local accounts with strong authentication standards, thereby reducing the likelihood of cyberattacks. By leveraging this feature, organizations can improve system security and protect digital assets from external threats.
Password Policy
Password settings are essential in security policies to protect local accounts from unwanted access. This policy includes a variety of rules that ensure that the passwords used meet the established security standards.
Some important elements of a password policy include:
1. Password History
Password history policies govern the number of old passwords that users should no longer use when they change their passwords. The goal is to prevent users from using the same password shortly, thereby increasing account security.
2. Maximum Password Age
The maximum age of a password is the maximum amount of time that a password can be used before it has to be replaced. This setting encourages users to change their passwords regularly, reducing the risk of misuse if passwords are leaked. It is recommended that the maximum age of the password be set to 30 days.
3. Minimum Password Length
The minimum length of a password is the least number of characters that should be in a password. This length is important to ensure the password is strong enough against a brute-force attack. The recommended minimum password length is 14 characters.
4. Password Complexity Requirements
Password complexity policies require different combinations of characters, including uppercase letters, lowercase letters, numbers, and symbols. The goal is to make passwords harder for attackers to guess or crack. This policy should be implemented so that each password meets the complexity standard. An example of a password that meets this rule is Pssw0rd2023!.
Password Policy Settings Recommendation Table
| Policy | Recommended Settings | Information |
| Enforce password history | 24 | Reduces the likelihood of users reusing the same password. |
| Maximum password age | 30 days | Encourage periodic password changes for privileged accounts. |
| Minimum password age | 1 day | Prevent repeated password replacements in a single day to favorite passwords. |
| Minimum password length | 14 characters | Increased security against hacking attempts of a safer length. |
| Password must meet complexity requirements. | Enabled | Ensure that each password has a strong combination of characters. |
| Store passwords using reversible encryption | Disabled | Avoid storing passwords in a readable format. |
Account Lockout Policy
An account lockout policy is a rule that governs when and how an account will be locked after multiple failed login attempts. The purpose of this policy is to protect the system from cyberattacks, especially brute force attacks, where attackers attempt to guess passwords with multiple attempts.
Account lockout policies work by limiting the number of login attempts allowed in a given time. For example, if a user enters the wrong password more than the specified limit, the account will be locked for a certain period. This makes brute force attacks more difficult, as attackers can’t keep trying unlimited password combinations. By locking out accounts after multiple failed attempts, this policy gives administrators time to monitor and address potential threats.
Recommended Settings
| Policy | Recommended Settings | Information |
| Account lockout duration | 10 minutes | Once the maximum limit of the experiment is reached, the account will be locked for 10 minutes before it can be tried again. |
| Account lockout threshold | 10 Experiments | Allows legitimate users to make some mistakes without being locked out, but restricts attackers. |
| Reset account lockout counter | 10 minutes | Sets the time at which the number of failed attempts will be reset if there are no new attempts within the period. |
Steps to Implement Local Account Policies
Implementing good local account policies is essential to improve system security. Here are the steps you can take to enforce this policy, either by using Group Policy for domain-connected computers or by using Local Security Policy for local configurations.
1. Using Group Policy for Computers Connected to Domains
For domain-connected computers, administrators can leverage Group Policy to centrally set local account policies. Here are the steps:
- Access Group Policy Management Console (GPMC) on a server or computer with administrative access rights.
- Select the appropriate organizational unit (OU) and create a new GPO or edit an existing one.
- Inside the GPO, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies.
- Adjust settings such as Password History, Maximum Password Age, Minimum Password Length, and Account Lockout Threshold according to safety recommendations.
2. Configure Local Policies with Local Security Policy
For computers that are not connected to a domain, administrators can use Local Security Policy to set local account policies. Here are the steps:
- Type secpol.msc in the Run (Windows + R) window and press Enter.
- Inside Local Security Policy, navigate to Security Settings -> Account Policies.
- Adjust the settings as in the Group Policy, including settings for passwords and account lockouts.
3. Policy Adjustment According to Company Needs
Once the basic policy is in place, it is important to tailor the policy according to the specific needs of the company. Some of the adjustment steps include:
- Conduct a risk analysis to determine the required level of security based on the sensitive data managed by the company.
- Engage stakeholders from different departments to understand their needs regarding access and security.
- Before implementing a policy broadly, test it on a small group of users to ensure that it doesn’t interfere with productivity.
- Policies should be reviewed regularly and updated by technological developments and new security threats.
Improves Local Account Security
Improving the security of local accounts is essential to protect the system from cyberattacks. Here are some steps you can take to strengthen the security of your local account:
1. Enable Multi-Factor Authentication (MFA)
Autentikasi multifactor (MFA) is a method that requires more than one way to verify identity before accessing an account. By enabling MFA, users must do more than just enter a password, such as:
- Use an authenticator app to get the code.
- Receive the code via SMS or email.
- Use biometric features such as fingerprints or facial recognition.
Implementing MFA can significantly reduce the risk of unauthorized access, even if the user’s password is successfully guessed by an attacker.
2. Use Irreversible Password Encryption
It is important to keep passwords safe. Using irreversible encryption is the best way to manage passwords. This means that passwords are stored in hashed form, so they cannot be restored to their original form. Some important things about password encryption:
- Hashing: This process converts the password into a permanent string of characters that cannot be reversed.
- Use powerful hashing algorithms such as bcrypt, Argon2, or PBKDF2 to improve the security of password storage.
- Don’t use reversible encryption as this could allow an attacker to regain the original password if they manage to access the database.
3. Align Password Policy with Azure Active Directory
Aligning local password policies with policies in Azure Active Directory (Azure AD) is important to maintain consistency in identity and access management. Some steps that can be taken are:
- Make sure that policies in Azure AD include conditions such as minimum password length, complexity, and expiration date.
- Use features like Conditional Access and Identity Protection to add an extra layer of security for users.
- If you’re using synchronization between on-premises Active Directory and Azure AD, make sure that the policies in both environments are mutually supportive and don’t conflict.