BLOG

Question:

What are the best practices for Group Policy Object (GPO) settings for Active Directory accounts?

Answer:

First of all, if you don’t know what this is and you manage Risk, Compliance, and/or Data Security, please forward to your IT department for their review and to confirm your company meets or exceeds the best practices outlined below. If this isn’t a foreign language, please keep reading. The most commonly used method for user authentication in corporate environments is an Active Directory account with policies and Group Policy Object (GPO) variables set in Group Policy. Whether or not your organization utilizes Active Directory to manage permissions and access to networked resources with GPO defining what a system will look like/how it will behave, the following best practice recommendations are fundamental to security variables in any environment and authenticating application:

• Account lockout after 5 failed login attempts;
• A lockout duration of at least 25 minutes when a lockout occurs;
• A password expiration policy set to every 90 days at a minimum;
• Complex password requirements: 1 capital letter, 1 lowercase letter, 1 number, 1 special character, at least 8 characters long;
• Password history requirements: inability to use previous 12 passwords and;
• Idle timeout requirements that lock the end-user's terminal after 10 minutes of inactivity.

Setting the aforementioned variables along with policy implementation and enforcement provides an additional layer of security to accounts and end-user workstations.