Enforcing Strong Passwords on a Windows XP System

You hear the message over and over, yet many users still choose to ignore it – configuring a “strong” password is critical to system security. Quite simply, most users will default to a very basic password (which is typically very easy to guess or crack) if you allow them to do so. While XP will allow “weak” passwords by default, it is possible to configure a minimum password length, or force users to use a combination of both alpha and numeric characters in their password with a couple of simple registry tweaks.

To configure a requirement for alphanumeric passwords, open Regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Network key. Create new REG_DWORD values called AlphanumPwds in each and give them a value of 0 (disabled) or 1 (enabled). To configure a minimum password length, create a REG_BINARY value called MinPwdLen and then configure a value for how many characters long a password must be at a minimum. For example, 06 (6 characters) is often considered a reasonable minimum for home users, although a higher number like 08 is usually a better choice. Users may have trouble remembering longer passwords, so keep that in mind.

Configuring a Logon Banner on Windows XP

Logon banners have long be used in various operating systems to display a message that users much agree to prior to granted access to the logon screen. This message often includes legal information forcing the user to agree to terms of use, or displays news or updated information about the network via a custom message configured by an administrator.

While more common to office environments, a logon banner can also be useful in the home, allowing you to configure messages that other users must agree to. For example, you could configure a message stating that the system should not be rebooted, that only authorized users are allowed to log on, or effectively whatever message strikes your fancy. Once configured, the message will be displayed in a dialog box. For details on configuring your own logon banner, see the stepped procedures below.

Step 1:Click Start, and then click Run. In the Open text box, type regedit and then click OK. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. This is the key from which a logon banner message and caption are configured.

Step 2: Double-click on the LegalNoticeCaption value. In the Value data field, type the message that you want to appear in the caption bar of the window, such as “Security notice for all XP users”. Treat this value like a heading or title for your message. Click OK to save it.

Step 3: Double-click on the LegalNoticeTest value. In the Value data field, type the message that you ultimately want users to read and agree to. This might be a simple message, or a more detailed message that includes a variety of different information. Click OK, and then reboot to view the message.

Customizing Windows XP Logon and Authentication Settings

When it comes to configuring or customizing an XP system, one of the last things that users consider is making changes to authentication-related settings. Truth be told, authentication is one of the most important security-related features included with XP, and should be looked at as more than simply providing a valid username and password at the logon screen. Since so many of XP’s security features are tied to successfully validating a user, it’s important to become more familiar with some of the tweaks and changes that you can apply in this area.

Not all of the changes outlined in this mini-series are applicable to all users. For example, while many home users may not care whether their system includes a banner prior to the logon process, this feature is commonly implemented on office systems as a way to display a legal message prior to allowing access to the logon screen. However, other changes, such as the ability to control whether users can change their passwords, can be very useful on any multi-user system. In this mini-series we take a look at some of the most common authentication-related settings that you can change, including how to tweak them and why you may want to consider implementing them.

Configuring XP Time Settings in Domain Environments

When an XP Professional system is part of a domain environment, it will automatically synchronize its time with a domain controller running Windows 2000 or Windows Server 2003. In these environments, it is critical that the clocks on the domain controller and XP system have no more than a 5-minute variance, or logon will fail. For the sake of accuracy, configure the domain controller to use an external SNTP server, while leaving XP systems without SNTP settings configured.

Configuring XP Time Settings with the NET TIME Command

If your attempting to manage time settings for many XP systems on a network, it doesn’t make a whole lot of sense to have each system contact a time server on the Internet individually. Instead, one system could be configured to contact an external SNTP server, and others on the network could be configured to contact that system instead. To accomplish this, configure one XP system to use an SNTP server via the Internet Time tab, and then create a batch file on other systems that includes the command net time \\192.168.1.2 /set /yes, with the correct IP address of the system configured to contact the SNTP server specified. Then, configure the batch file to run as often as you deem necessary using Scheduled Tasks in Control Panel. Alternatively, the NET TIME command could be added to the autoexec.bat file on each system to run automatically when Windows XP boots.

Changing Windows XP Time (SNTP) Servers

Windows XP allows you to select your preferred time server from a list found on the Internet Time tab in the Time and Date program. Although this list includes a number of servers, it’s also possible to configure XP to use a time server a little closer to home by editing the Registry. A list of SNTP servers in located in the Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\DateTime\Servers.

You can add additional servers to this list by creating additional values of type REG_SZ, using the next available number on the list. Once added, this time servers will be available for selection on the Internet Time tab. For a list of public SNTP servers in the UK and elsewhere, see http://support.microsoft.com/?kbid=262680. As a general rule, only second-level time servers allow public access.

Configuring Windows XP Date and Time Settings

If there’s one thing that PCs are notorious for, it’s not being terribly good at keeping the time. In fact, over the course of just a few days, it’s not uncommon for a system running XP to end up with time settings more than 5 minutes out of whack. While many users might not fret over such a small discrepancy, correct system clock settings are critical to ensure the proper operation of many applications, including databases. The good news is that Windows XP includes the Windows Time service, allowing you to synchronize your system clock with accurate Simple Network Time Protocol (SNTP) servers on the Internet. Unfortunately, the default system settings on XP also contribute to time variance issues. With a few key configuration changes, however, your system can be keeping close to perfect time automatically.

The key utility for the configuration of time settings on a Windows XP system is the Date and Time utility available via Control Panel or the System Tray. Unlike previous Windows versions, this utility now includes an Internet Time tab, as shown at right. This tab is configured to automatically synchronize your system’s time with a known SNTP server, such as time.windows.com. While synchronization with an SNTP server obviously requires an Internet connection, the default schedule at which synchronization occurs is sorely lacking – once a week by default. Although the Update Now button can be used to force synchronization immediately, it’s also possible to change this setting via the Registry as explained in the steps below:

Step 1: Click Start, type regedit, and click OK. When the Registry Editor window opens, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

Step 2: In the list of available values, find the entry named SpecialPollInterval, and double-click on it. This entry is of type REG_DWORD, and lists the current interval for synchronization, which is once per week (every 604800 seconds) by default.

Step 3: Change the value to your new preferred synchronization schedule value, in seconds. For example, to change the interval to a more reasonable value of once per day, click the Decimal radio button, type 86400 in the Value data box, and click OK.

Customing Scripts and Batch Files with Environment Variables

One of the most popular uses of environment variables is from within batch files. For example, you could add the following commands to an existing logon script to provide users with basic information:

@echo Thank you for logging on %username%.
@echo The current time is %time% on %date%.
@echo Your user profile is located in %userprofile%.
@echo Your home directory is located at %homedrive%
pause

By the same token, information provided by variables could be used within a script to make decisions. For example, an administrator might choose to copy a file to a system if the %os% variable equals Windows_NT, using an IF statement.

If scripting isn’t your thing, you can still manipulate variables to serve your needs. For example, you could create your own new user variable called HIDDEN that points to a folder that you have hidden from view with the file system, and then use the %hidden% variable when you want to access that folder quickly. Similarly, you could also change the path of temporary file locations (the TMP and TEMP) variables such that all temporary files are saved to a single folder named D:\tempfolder, thus making it easier to delete or find temporary files when necessary.

Viewing and Changing Windows XP Variables

The easiest way to view the current values of all environment variables configured on your XP system is to issue the set command at the command line, as shown at left. To change environment variables (or define your own), use the Environment Variables window accessible from the System applet. Remember that you will need administrator-level access to change System variables, but that any user can change their variables in the User section. For a list of the various default variables available on Windows XP systems, see http://kennethhunt.com/archives/000933.html

Variables can also be changed directly within the Registry. For System variables, see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment. For User variables, changes can be made in HKEY_CURRENT_USER\Environment.

Computer Variables in Windows XP

Windows XP also defines a number of computer-related variables by default. For example, the %windir% or %systemroot% variables can be used to access the directory in which Windows XP is installed. Although this is usually C:\WINDOWS by default, it doesn’t have to be. On systems with multiple operating systems installed, this variable makes finding the current Windows installation folder a breeze, and eliminates guesswork.

Other computer-related variables that can come in very handy include %computername%, %systemdrive%, and %os%. The %computername% variable returns the name of the computer, %systemdrive% can be used to represent the active system drive (typically drive C), and the %os% variable will display the name of the operating system in use. When using %os%, this variable will always return the value Windows_NT on any system running NT, 2000, XP, or 2003, but this can be changed if you prefer. The main purpose of this variable is to distinguish NT-based systems from DOS-based systems like 95/98/ME.