A good password policy helps users protect their passwords from other individuals. This helps to reduce the probability of someone logging on with another user’s password and gaining unauthorized access to data.
The following guidelines should help you create a basic security policy:
You can use the following Windows NT and NetWare security features to enhance Windows 98 security:
Enforce a reasonable minimum password length.
This policy increases the number of permutations needed to guess someone’s password randomly or programmatically. Additionally, you can enforce an alphanumeric password combination to achieve the same security.
Enforce maximum and minimum password age.
This policy forces the user to change the password, preventing someone else from discovering it as a result of the password being in use for a long time. A minimum password age prevents a user from immediately reverting to a previous password after a change.
Enforce password uniqueness and maintain password history.
This policy prevents users from toggling between their favorite passwords. You can specify the number of unique passwords that a user must have before that user can use a previously used password.
For more information about using Windows NT and NetWare security features, see the documentation for those products, or see the Microsoft Windows NT Server Networking Guide in the Windows NT Server Resource Kit (for Windows NT Server version 4.0) (ISBN 1-57231-343-9).
With Windows 98, users can log on to all networks and Windows 98 at the same time. The first time a user starts Windows 98, logon dialog boxes appear for Windows 98 and for each network client on that computer. This is useful for you as a network administrator, because you can use existing user accounts on a network security provider to validate access to the network for users running Windows 98. For more information, see Chapter 18, "Logon, Browsing, and Resource Sharing."
If a user’s password for Windows 98 or for another network is the same as the password for the primary logon client, Windows 98 logs the user on to Windows 98, and then the network automatically uses that password. When a user logs on to other networks with different passwords and chooses to save them, the passwords are stored in the password list file. The Windows 98 password unlocks this file. Thereafter, Windows 98 will use the passwords stored in the password list file to log a user on to other networks, so that no additional passwords need to be typed. This single logon provides a solution to the problem of password proliferation.
The Passwords option in Control Panel provides a way to synchronize logon passwords for different networks. This allows users to use the password for whatever logon dialog box appears first (the primary network logon client or Windows 98 logon) for logging on to all other network clients.
To change a password for a network resource to be the same as the Windows 98 logon password
To appear in this list, the related software must include a function that lets its password be changed.
Note
The Windows Screen Saver passwords option appears here only if the Windows screen saver has been turned on and the password-protected option has been selected.
You can maintain separate passwords for a network resource and require users to type a password each time they access it.
To change a password for a network resource
You must now type the new password to access the resource.
Note
You can also use the Passwords option to change individual passwords to other network resources to be different from the Windows 98 logon password.
To log on to a NetWare network, you must type the name of the preferred server on which the related user account is stored. After the user name and password are validated by the network server, you can use resources shared on that server. If you are not validated, you will be prompted to enter a password whenever connecting to a NetWare server during this work session.
The first time you attempt to connect to a NetWare server other than the preferred server, Windows 98 searches for an appropriate user name and password in the PWL file. If no matching set of credentials is found, Windows 98 tries to log on using the Windows 98 password. If this fails, Windows 98 displays a NetWare logon prompt for you to enter a valid user name and password, which can then be stored in the PWL file.
To avoid use of automatic NetWare logon
To change your password on a NetWare server
net use * \\nwsvr2\sys
n:
Then type:
cd \public
Note
If you want to change your password on more than one server, connect to all affected servers before running the setpass command. Setpass is a utility provided by Novell and is not part of Windows 98.
If the server on which you want to change your password is different from the one on the current drive, type setpass and the name of the server.
For example, to change your password on the server named NWSERVE1, type:
setpass nwserve1
Keeping track of multiple passwords can be a problem for users. Often, they either forget the passwords or write them down and post lists of passwords near their computers. When this happens, the security policy is no longer doing the job it was meant to do — to allow access to those who should have it and to deny access to those who should not.
Windows 98 solves this problem by storing passwords for resources in a password list file (PWL). This file stores passwords for the following network resources:
The password list file is stored in the Windows folder on the local computer by using an encryption algorithm. An unencrypted password is never sent across the network.
Caution
If you delete PWL files, you will lose all previously stored passwords. You will need to retype each password.
Password caching is enabled by default when you install Windows 98. When you access a password-protected resource for the first time, make sure the Save this password in your password list option is selected (it should be selected by default) to save the password to the password list file.
Note
If, during log on, you click Cancel to bypass the logon screen, the cache will not be opened, and you will be prompted for a password each time you attempt to use a protected resource.
You can disable password caching by using System Policy Editor, which is shipped on the Windows 98 compact disc but not automatically installed onto your system during Setup. Use the Add/Remove Programs option in Control Panel to install System Policy Editor.
To install System Policy Editor
To disable password caching by using system policies
For more information, see Chapter 8, "System Policies."
Note
If you have any share-level security servers and you disable password caching and are running Client for Microsoft Networks, you should not use the Quick Logon feature in the Network option in Control Panel.
If password caching is enabled, Windows 98 caches passwords in the password list file when you connect to a password-protected network resource. Password List Editor (Pwledit) lets you view the resources listed in a user’s password list (PWL) file. It does not let you view the actual passwords, but lets you remove specific password entries if problems are encountered using a cached password.
Password List Editor works only if the password list file is unlocked, that is, if the user is logged on. It can be used to view only the contents of the logged-on user’s password list file, so you should run it on the user’s computer.
Note
Only users themselves can view or edit their own PWL files.
Password List Editor can be found in the Netadmin\Pwledit folder on the Windows 98 compact disc.
To install Password List Editor
To run Password List Editor
You can use system policies to increase security by requiring users to follow specific password guidelines. Using system policies, you can enforce password policies.
For information about restricting settings with system policies, see Chapter 8, "System Policies."