๐ŸชŸPassword Policies (from Windows)

Enumerating & Retrieving Password Policies

net.exe

๐Ÿ”ณnet.exe

Code

net accounts

Example

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

PowerView

๐Ÿ”ญPowerView

Code

import-module .\PowerView.ps1
Get-DomainPolicy

Example

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\example.LOCAL\sysvol\example.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Additional Info:

  • It also revealed that password complexity is enabled (PasswordComplexity=1)

Analyzing the Password Policy

  • The minimum password length

  • The account lockout threshold

  • The lockout duration

  • Accounts unlock automatically or requires administrator's intervention

  • Password complexity is enabled, meaning that a user must choose a password with 3/4 of the following: an uppercase letter, lowercase letter, number, special character

Default Password Policy

Policy
Default Value

Enforce password history

24 days

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

7

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

Not set

Account lockout threshold

0

Reset account lockout counter after

Not set

PreviousPassword PoliciesNextnet.exe

Last updated