Home / server / Questions / 703171
In Process
Iszi
Asked: 2015-07-03 07:48:14 +0800 CST

Enforce 15-character minimum password length on Windows

  • 772

I've been given a requirement to enforce a minimum password length of 15 characters on my Windows-based systems. Supposedly, this is possible and is being done on some other systems already. However, I can't seem to get it to work.

The key problem appears to be that the policy is normally limited to only accepting values of 0 to 14.

enter image description here

I've tried setting it higher, but it does not work.

How is anyone able to get around this?

I need a solution that will work both through domain-based GPO and on standalone systems. If possible, I need a fix that's backward-compatible down to XP/2003. Third-party tools are not an option.

password-policy

3 Answers

  1. Yes, you can but I don't believe it's supported. You would have to modify Active Directory using ADSIEdit.msc. If you view the attributes for the AD Schema, there is a Min-Pwd-Length attribute. Change this attribute's value to 15 and the minimum password length of 15 will be enforced.

    Read more about it here: https://msdn.microsoft.com/en-us/library/ms677113%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    • 5

  2. You can create a registry-based policy that will stuff 15 as the value for minimum password length. A method is described here.

    You can do this on a stand alone server/workgroup computer:

    1: Open regedit

    2: Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" in the left-hand pane then right-click on the entry.

    3: Create a new REG_BINARY value. Name the value "MinPwdLen" and set the minimum password length to seven.

    4: Close Registry Editor then restart the computer

    You create a policy that applies to all the machines in the domain (a domain-wide policy, make sure it won't conflict with existing policies that set minimum password length by policy means, as you have tried) that will set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\MinPwdLen value to BINARY 0x0F.

    • 1

  3. If your domain is 2012 or above you can now configure a longer password using “Fined Grained Password Policies” or Password Setting Object (PSO)

    NOTE: XP\2003 have been out of support for a long time. Strong passwords can't protect you. There is an RCE called "Eternal Blue" in SMB that makes passwords for these old systesm obsolete. Anyone can log in remotely without a password now.

    DETAIL: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

    PSOs in Windows 2012+

    Setting up PSO’s within Windows 2012+ is easy and won’t affect users until they attempt their next password change.

    Control Panel -> System and Security -> Administrative Tools -> Advice Directory Administrative Center

    enter image description here

    DomainName -> System -> Password Settings Container

    enter image description here

    Right Click -> New -> Password Settings

    enter image description here

    Complete the PSO settings and assign a User or User Group target. To assign the policy to all users, use “Domain Users”. Notice in this test we have specified 20 characters to be the minimum length for acceptable passwords.

    enter image description here

    SOURCE: https://www.blackhillsinfosec.com/increase-minimum-character-password-length-15-policies-active-directory/

    • 0