Minimum Password Lengths of 15 or More via GPO

Sunday, August 21, 2011

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

Also known as "How to practice what we preach". I don't know how long I've been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won't be close to their original).

But I've never tried setting it myself. Well, a client called me out. You can't! (well at least not through the UI )

TL;DR You can edit the GptTmpl.inf file in \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ and set "MinimumPasswordLength" to whatever you want it to be. (You need to replace any part of the path starting with a $ with the value applicable to your domain and group policy object)

I tested this out myself, and sure enough, once you get up to 14 on the iterator, it jumps back down to 0:


minpwlength_02.png

After some Googling I came up pretty empty handed (hence the highly SEO'd title of this post).

I asked the question on Twitter and got a bunch of different answers, but @RizzyRong's was the first one in that I could try out: (THANK YOU to everyone who shot me answers, I really appreciate it, and to those who shared my curiosity I hope this helps you out)

minpwlength_01.png

ADMod is a Joeware tool. Any windows Sys Admin should at the very least know of these tools as Penetration Testers use them to great effect:


minpwlength_03.png

RizzyRong's instructions are straight forward and so was the tool:


minpwlength_04.png

For copy paste purposes thats: admod -default minpwdlength::15

w00t, done right? Lets check:


minpwlength_05.png

We have a winner! Testing out a user:


minpwlength_06.png

14 characters…

minpwlength_07.png

Cool. This applied to the Default Domain Policy. That's a problem if I want to move this setting around or I don't actually apply the default policy to any objects.

I also ran into some file permission errors when trying to set other GPO settings after I ran ADMod: (If anyone knows a better way to operate ADMod to this end please leave a comment below).


minpwlength_08.png

Alright, well need definitely need a cleaner and more repeatable / flexible solution. After fixing the file permission issues I noticed that in that file was my setting. I wonder if I can set this manually and have it actually stick.

Lets try, we need the GUID, so lets make a policy that we can apply anywhere we want and as many times we want with JUST that minimum password length setting.


minpwlength_09.png

GUID acquired. To make Microsoft do most of the work we need to set the minimum password length setting in that policy to 14 or whatever, just so that we don't have to remember file and folder structure for the GPO.

Next we go to the location where the policy setting is stored: \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ (replacing the 2 $DOMAIN instances with our domain name and $PolicyGUID with the GUID we copied from the policy page.

If we set the policy to 14 there should be a line in the GptTmpl.inf file (you can open it with Notepad) that says 'MinimumPasswordLength = 14', change that to 15 or whatever you wish as so:


minpwlength_10.png

We check back or simply refresh our GPO settings:


minpwlength_11.png

Sweet, it's there, again, just to be thorough we test and sure enough it works.

A few quick notes: Your users might complain about a few popups:


minpwlength_12.png

Not much you can do about this one, and I doubt your users will care, but this next one might get you a few support calls:

minpwlength_13.png

I haven't found a way to make that say anything other than 14 characters (for that matter the 24 previous passwords number is incorrect as well)

If anyone knows how to fix this dialog or disable the previous one I am all ears. Please leave a comment so others can know how as well.

Update 1:

Jason mentioned that if you don't increment the policy version in %SystemRoot\SYSVOL\domain\Policies\{PolicyGuid}\GPT.ini then it won't get pushed to the domain.

Thanks Jason!

Update 2:

'cc' commented below, but I thought this should be hilighted...

"In a 2K3 domain, the password policy can only be specified in the "default domain policy" object. Policies defined elsewhere are ignored"

Are you F@#$!!@#! serious? Microsoft you suck...

Update 3:

After a bit some complaining on twitter, ArchangelAmael came back with: https://twitter.com/#!/ArchangelAmael/status/95921096762728448

And points at: http://technet.microsoft.com/en-us/library/cc738216(WS.10).aspx

This basically says that you can have it in a separate policy but it needs to supersede the default group policy at the domain level (making it essentially pointless to do so for anything other than ease of administration and beautification of the GPO list) (which is a valid reason for doing so)

if you need to apply policy at the OU level it needs to be in a Windows 2008 functional level domain.

Cross-posted from Room362

Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!

Possibly Related Articles:
30989
Network Access Control
Information Security
Passwords Tools Penetration Testing SysAdmin GPO Default Domain Policy
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.