1. Home
  2. /Hands-on Labs
  3. /Windows Password Policy Lab
Feeling StupidKeyboard Layout

Windows Password Policy Lab

Enforce enterprise-grade password requirements in Windows 11 using Local Security Policy and GUI validation.

Lab Objectives

  • Review existing local password policy defaults on Windows 11.
  • Configure strict requirements: minimum length, complexity, history, and expiration.
  • Set aggressive account lockout thresholds to defend against brute-force attempts.
  • Validate changes through Local Security Policy summaries and sign-in testing, then document the final configuration.

Part 1: Baseline Assessment

  1. Launch Local Security Policy (Windows > type secpol.msc > press Enter) and expand Account Policies > Password Policy.
  2. Review each setting and capture a screenshot of the current configuration (minimum length, maximum age, history, complexity).
  3. Switch to Account Lockout Policy and note the existing threshold, duration, and reset values for comparison later.

Part 2: Enforce Strict Password Rules

  1. Double-click Password must meet complexity requirements and set it to Enabled. This forces upper, lower, number, and symbol usage.
  2. Configure Minimum password length to 12 characters. (Enter 12 and apply.)
  3. Set Enforce password history to 24 remembered passwords so users cannot reuse previous values.
  4. Adjust Maximum password age to 45 days and Minimum password age to 1 day, ensuring regular rotation and blocking immediate re-use.
  5. Enable Store passwords using reversible encryption remains Disabled (verify it is); this protects credential storage.

Part 3: Configure Account Lockout Policy

  1. In Local Security Policy, switch to Account Policies > Account Lockout Policy.
  2. Set Account lockout threshold to 5 invalid logon attempts. Confirm the prompt to automatically adjust duration/reset timers.
  3. Change Account lockout duration to 30 minutes.
  4. Set Reset account lockout counter after to 30 minutes so failed attempts only clear after a cooldown.

Part 4: Apply and Verify

  1. Sign out and back in (or lock and unlock) to ensure policies refresh, then reopen Local Security Policy to confirm the updated values are in place.
  2. In Computer Management > Local Users and Groups, create a temporary test user and attempt to set a password that fails complexity (e.g., password). Confirm Windows rejects it with an explanatory message.
  3. Try changing the test user’s password twice in a row to verify history enforcement, and attempt three incorrect sign-ins to observe the lockout warning.
  4. Capture screenshots of the updated policy values and any rejection prompts as proof of enforcement. Remove the test user when finished.
Quick Reference
  • Local Security Policy: secpol.msc
  • Group Policy Management: Use GPMC for domain-wide enforcement
  • Resultant Set of Policy: rsop.msc to verify applied settings

For scripted deployments, combine secedit /export to capture security templates or use Group Policy Management Console (GPMC) to define domain-wide baselines.

Completion Checklist
  • Baseline password policy captured before changes.
  • Strict length, complexity, history, and age rules enforced.
  • Account lockout thresholds adjusted to 5/30/30 minutes.
  • Verification evidence captured via Local Security Policy screenshots and failed password attempts.