Use Group Policy to secure users and computers - Windows Tutorial

- [Instructor] Did you know that you can log in to your Windows PC with something other than a traditional password? You can choose a PIN or use a picture password, if you'd rather. Both are better choices on tablets because they require you only type a few numbers or use your finger to draw three gestures on an image. You can opt to lock the screen after a specific amount of time passes and require a password when you wake it up, as well. You do all of these things from Start and Settings. To configure login options, click Accounts. Click Sign-in options. If you choose PIN, you just click add. Type your password, and type and confirm your new PIN. You can change your password here, and here you can add a picture password. Same thing, type your password, and choose a picture. This is the one I selected, but you'll probably opt to choose a new picture, and then choose one you have saved to your computer. At the top of this screen, you can change when to require a sign-in. By default, you'll have to type a password or PIN or use your picture password every time you wake the computer from sleep. You can turn that off, though. I don't suggest it. If you do choose to set the computer to require a password after it wakes from sleep here in Settings, you want to set how long the computer should be idle before it goes to sleep. To set that, click back and open System. Here's where you can tell Windows when to turn off the screen or go to sleep. You do that from the Power and Sleep tab. I have mine set like this. Turn the screen off after 10 minutes, but when plugged in, never put the computer to sleep. That's because I work at it all the time, and I'm always near it. Passwords and requiring them are extremely important when securing your computer and the computers on your network. That said, while you can tell your computers to create passwords and perhaps even change them once a month, you can't force them to without setting group policies. You can open the local group policy editor by typing gpedit.msc in the task bar. I've already done that, and I have it open. To access the password settings, navigate to Computer Configuration, Windows Settings, Security Settings, Account Policies, and here is Password Policy. Let's take a look at these one at a time. The maximum password age setting let you configure how many days can pass before the user is required to change their password. You can set passwords to expire after a number of days between one and 999, or you can specify that passwords never expire by setting the number of days to zero. Often, administrators choose 30 days or 60 days, but the choice is up to you. The Enforce Password History Policy setting let you set the number of unique new passwords that must be associated with the user account before an older password can be used. If you enable Enforce Password History, you should also configure a minimum password age. Minimum password age states how long a user must keep their password before it can be changed. If you don't configure this setting, users can change their password as many times in a row as necessary when they're required to, and then reuse their original password. The minimum password length policy lets you set the least number of characters that can make up a password. You can set a value between one and 14. If you choose zero, it means no password is required. The passwords must meet complexity requirements determines whether passwords must meet certain standards. Those standards are listed here, and include the following. Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters. And passwords must be at least six characters in length. They must contain characters from three of the following four categories, uppercase characters A through Z, lowercase characters A through Z, numbers, and special characters like exclamation points and dollar signs. Finally, the Store Password Using Reversible Encryption Setting provides support for applications that use protocols that require the user's password for authentication. Reversible means that the encrypted passwords can be decrypted. An attacker who is able to break this encryption can access available resources. You should never enable this policy setting unless the application requirements outweigh the need to protect password information. You can incorporate account lockout policies with the password policy settings you configure. This lets you state when and how a user will be locked out of their computer if they try to input their password several times, but fail. If you're interested in that, take a few minutes to review those entries. Here's the account lockout duration, threshold, and an account lockout counter. As an example, you can set an account threshold for invalid logon attempts, say six, and then set how long to keep the user locked out before they can try again. You can also set how much time must pass before resetting the account lockout counter. So that's about it for password security and password policies. Remember, whatever you configure here is applied to the entire computer. If you change your mind about it, come back and remove the policies you don't like.