|

ENET Email IT Support

|

ENET Phone IT Support

|

Security recommendations

Related Component

Accounts

To prevent potential risks of unauthorized access to locally cached passwords or credentials, consider disabling the local storage feature. This can be achieved through two remediation options: enabling a specific group policy or setting a registry value to restrict the storage of passwords and credentials for network authentication.

Categories

We provide a comprehensive list of vulnerabilities and remediation options on this page for our visitors’ reference. However, we would like to inform you that EireaNet, Inc. offers a free of charge automated mitigation service to our monthly subscribers. This service is designed to detect and remediate any vulnerabilities or other security issues on your system. Our mitigation service is constantly updated with the latest threats and vulnerabilities, ensuring that our subscribers are always protected against the latest security threats.

In addition to the automated mitigation service, EireaNet, Inc. also provides personalized consulting for businesses that require a more tailored approach to their security needs. Our team of experts can conduct thorough security assessments and provide customized recommendations to address specific vulnerabilities within your system. This personalized consulting service aims to empower businesses with the knowledge and tools to enhance their overall security posture and mitigate potential risks effectively.

We understand the critical importance of staying ahead of evolving security threats, which is why we remain dedicated to continuously updating our mitigation service and staying informed about emerging vulnerabilities. By offering both automated and personalized solutions, we aim to cater to the diverse security needs of our subscribers, ultimately contributing to a more secure digital environment for all.


Disable the local storage of passwords and credentials

Description

Determines whether Credential Manager saves passwords or credentials locally for later use when it gains domain authentication.

Potential risk

Locally cached passwords or credentials van be accessed by malicious code or unauthorized users..

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication
To the following value: Enabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds
To the following REG_DWORD value: 1


Disable ‘Domain member: Disable machine account password changes’

Description

Determines whether automatic password changes are enforced on computer accounts.

Potential risk

Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Disable machine account password changes
To the following value: Disabled

Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
To the following REG_DWORD value: 0


Disable the built-in Administrator account

Description

Determines whether the built-in Administrator account is disabled.

Potential risk

The built-in administrator account is a well-known account subject to attack by malicious actors. It cannot be locked out due to failed logons, which makes it a prime target for brute force attacks that attempt to guess passwords. Additionally, it has a well-known security identifier (SID) and there are third-party tools that allow authentication by using the SID rather than the account name, meaning that even if the account is renamed, an attacker could launch a brute force attack by using the SID to log on

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:Administrator account status
To the following value: Disabled


Set ‘Maximum password age’ to ’60 or fewer days, but not 0′

Description

Determines the period of time (in days) that a password can be used before the system requires the user to change it.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

Setting this to less than 60 days (but not 0, which means it never expires) means an attacker has a limited amount of time in which to compromise a user’s password and have access to your network resources.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy: Maximum password age
To the following value:
greater than 0 and lower than 61


Set ‘Minimum password age’ to ‘1 or more day(s)’

Description

Determines the number of days that you must use a password before you can change it.

This security control is only assessed for machines with Windows 10, version 1709 or later

Potential risk

Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy: Minimum password age:
To the following value:
greater than 0


Set ‘Minimum password length’ to ’14 or more characters’

Description

Determines the minimum password length.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy: Minimum password length
To the following value:
14 or more characters


Set ‘Reset account lockout counter after’ to 15 minutes or more

Description

Determines the length of time before the ‘Account lockout threshold’ counter resets to zero after a failed logon attempt. This reset time must be less than or equal to the value of the ‘Account lockout duration’ setting.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

Setting an appropriate account lockout counter helps prevent brute-force password attacks on the system.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after
To the following value: 15 or greater


Enable Local Admin password management

Description

Enables management of password for local administrator account in AD.

This security control is only applicable for machines that are not domain controllers.

Potential risk

Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all endpoints during deployment. This poses a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Remediation options

Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\LAPS\Enable Local Admin Password Management
To the following value: Enable

Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled
To the following REG_DWORD value: 1


Set ‘Account lockout duration’ to 15 minutes or more

Description

Determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. If configured to 0, accounts will remain locked out until an administrator manually unlocks them.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

Setting an appropriate account lockout duration helps prevent brute-force password attacks on the system.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
To the following value: 15 or greate


Set ‘Account lockout threshold’ to 1-10 invalid login attempts

Description

Determines the number of failed logon attempts before the account is locked. The number of failed logon attempts should be reasonably small to minimize the possibility of a successful password attack, while still allowing for honest errors made during a legitimate user logon.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

Setting an appropriate account lockout threshold helps prevents brute-force password attacks on the system.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
To the following value: Between 1 and 10


Set ‘Enforce password history’ to ’24 or more password(s)’

Description

Determines the number of unique new passwords that are required before an old password can be reused in association with a user account.

This security control is only assessed for machines with Windows 10, version 1709 or later.

Potential risk

Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time.

Remediation options

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy: Enforce Password History
To the following value:
24 passwords remembered

Already a client?

We are here to help!

Reach our friendly support team!

ENET Email IT Support

|

ENET Phone IT Support

|

Have questions or need a hand?

Fill out the form and let us know how we can help with your technology needs.

← Back

Congratulations !

You’re One Step Away from Proactive IT Services! nnOne of our Team members will reach out to you within 24 hours.

Vulnerability mitigation

All our monthly subscribers enjoy our automated remediation options

free of charge

Our Promise

Deliver The Highest Quality of service

Our team comprises experienced professionals with expertise in handling all your IT needs. We use the latest technologies and industry best practices to keep your business safe and secure and are always available to provide fast and friendly support whenever you need it

Get To Know Us!

Contact Us

Interested in our services? Would you like us to contact you? Please submit this form and we’ll get back to you right away.

← Back

Your message has been sent!

Thank you for considering our company. We will be in touch soon.

Business Hours.

ENET Email IT Support

|

ENET Phone IT Support

|

Our Managed Detection and Response (MDR) services provide advanced threat detection and response capabilities to safeguard your organization against cyber threats. Our team of security experts monitors your network 24/7 and provides real-time threat detection and rapid response to any potential threats.

Monday
9:00 am – 5:00 pm
Tuesday
9:00 am – 5:00 pm
Wednesday
9:00 am – 5:00 pm
Thursday
9:00 am – 5:00 pm
Friday
9:00 am – 5:00 pm
Saturday
Closed
Sunday
Closed

After Hours IT Support is available at additional rates.