On an non-AD Environment ( a workstation environment), how to enforce the Password Policy of the Local Security Policy on the endpoint?
We can use SEP's HI policy to enforce these policy.
There is a application name secedit.exe on the Windows that allow to edit the policy. We just write a bat script on the HI policy that use this application to enforce the password policy on the endpoint.
Below are the steps for the configuration:
1. Create a HI policy on the SEPM, and add 'custome requirements'.
2. Firstly, we need to check the registry value of the key name 'PasswordEnforce' under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec:
If the registry key PasswordEnforce is equal to 1, it means the endpoint already updated this policy, no need to update anymore. We can show a nitification on the endpoint.
3. Show a notification on the endpoint to notificate the user that the password policy has already been updated:
4. If the registry PasswordEnforce is not existed, it means that the endpoint is not updated this policy yet. We need to run the bat script to update the policy on the endpoint. Below are the content of the bat script:
Set CreateFile = CreateObject("scripting.FileSystemObject")
Set WriteFile = CreateFile.CreateTextFile("C:\Windows\PasswordEnforce.inf", True)
WriteFile.WriteLine("[Unicode]")
WriteFile.WriteLine("Unicode=yes")
WriteFile.WriteLine("[Version]")
WriteFile.WriteLine("signature=""$CHICAGO$""")
WriteFile.WriteLine("Revision=1")
WriteFile.WriteLine("[System Access]")
WriteFile.WriteLine("MinimumPasswordAge = 0")
WriteFile.WriteLine("MaximumPasswordAge = 30")
WriteFile.WriteLine("MinimumPasswordLength = 8")
WriteFile.WriteLine("PasswordComplexity = 1")
WriteFile.Close
Set RunPasswordEnforce=wscript.createObject("wscript.shell")
Const RegPasswordEnforce = "HKLM\SOFTWARE\Symantec\PasswordEnforce"
RunPasswordCheck.Run("secedit /configure /cfg c:\windows\PasswordEnforce.inf /db %windir%\security\Database\secsetup.sdb /log %windir%\security\logs\PasswordEnforce.log")
RunPasswordCheck.RegWrite RegPasswordEnforce, "1"
wscript.quit
After run the script, the local machine's password policy will be updated. This script also create a registry key PasswordEnforce and set the value of this key to 1.
5. Show a notification on the endpoint to notificate the user that the password policy has been update:
Then, on the endpoint, if this is the first thim the endpoint receive and run this HI policy, then, the endpoint will receive this notification:
If the endpoint had already updated this policy, then the client will receive this notification:
And, we can also create a Application Control Policy to block the endpoint user to modify the secpol.msc which is the Local Security Policy of the system.