DoD STIG CAT II: Windows Server 2019 manually managed application/service account password must be of sufficient length to prevent being easily cracked. It must be at least 15 characters in length.
By default properties of passwords used with the domain accounts are determined through domain-based password policies. You can configure password policies by editing GPOs linked at the domain level. Even though if you set password policies at GPOs linked at the OU and the site level, these policies have no effect on the properties of user passwords. Remember that you can have only one set of domain password policies configured through group policy. The GPO order at t the domain level determines the domain password policy. The exceptions to the rule about one password policy per domain are fine-grained password policies.
You can force to set minimum of 14 characters length in the domain policy but the requirement is minimum of 15 characters in length. We can overcome this obstacle by the following options:
- Fine-grained password polices with no limit
Fine-grained password policies enable us to have separate password policies within a single domain. Unlike Group Policy-based password policies, which apply at the domain level, you can apply fine-grained password policies to global security groups or individual user accounts. Fine-grained password policies can’t be applied to domain local or universal security groups, only to global security groups.
You create and manage fine-grained password policies through the Active Directory Administrative Center. To create a new Password Settings Objects(PSO), open the Active Directory Administrative Center and navigate to the Password Settings Container (PSC), which is located int eh System Container of the domain. From the Tasks menu, select New, and then select Password Settings. The PSC enables you to view the precedence of PSOs. Password settings with lower precedence values override password settings with higher precedence values.
If a PSO applies to a user account, either directly or indirectly through group membership, that POS overrides the existing password and account lockout policies configured at the domain level.
2. Relax Minimum Password Length
Using this setting, minimum password length setting will be enforced across the domain.
Enforcement of minimum password lengths of 15-characeter or more on Windows Server or Windows 10 was added to Windows server, version 2004 or Windows 10 version 2004. When Relax minimum password length limits setting is defined and enabled, this setting my be configure from 0 to 128 characters. Setting the required number of characters to 0 means that no password is required. Note, by default, member computers follow the configuration of their domain controllers.
You won’t see the above setting if you try to edit GPO using the older version of Windows. I installed RSAT tool on Windows 10 21H2 and I was able to see the Relax minimum password length limits. This settings will be reversed if you edit the GPO on an older version of Windows to standard limit of 14 characters even if you have previously increased the setting to a higher value.
User Fine-grained password policy if you want to implement separate password polices in domain and apply to a global security group or an individual user. Relax Minimum Password length setting could be used to implement a domain wide standard minimum password length requirement.