Weak credentials remain the number one way hackers get into business systems. Despite years of awareness campaigns, "123456" and common dictionary words still top the list of most commonly used login details. On Windows 11, you have built-in tools to enforce strong requirements and restrict access -- you just need to turn them on.

This guide walks you through configuring Windows 11 credential policies and access controls so your business computers are protected from the most common attacks.

Why Windows 11 Credential Requirements Matter

Modern cracking tools can test billions of combinations per second. A simple 8-character string with only lowercase letters can be cracked in seconds. But a 14-character string with mixed characters could take centuries to crack with the same tools.

The difference between a vulnerable system and a secure one often comes down to whether you've enforced proper requirements. Windows 11 gives you the tools to do this -- here's how to use them.

Configure Credential Policies in Local Security Policy

Windows 11 Pro and Enterprise editions include Local Security Policy, where you can enforce rules for all users on the computer.

Step-by-Step: Set Requirements

  1. Press Win + R, type secpol.msc, and press Enter
  2. Navigate to Account Policies → Password Policy
  3. Configure the following settings:
    • Enforce history -- Set to 12 remembered (prevents reusing old credentials)
    • Maximum age -- Set to 90 days (forces periodic changes)
    • Minimum age -- Set to 1 day (prevents users from quickly cycling through to reuse old ones)
    • Minimum length -- Set to 12 characters minimum (14+ is even better)
    • Must meet complexity requirements -- Set to Enabled (requires uppercase, lowercase, numbers, and symbols)
  4. Click OK to save each setting

Modern Best Practice

While periodic changes are still widely recommended, NIST now suggests focusing on length over forced rotation. A strong 16-character passphrase that rarely changes is more secure than a complex 8-character string that changes every 30 days (because users tend to create predictable patterns). Consider setting maximum age to 180 days or longer if you enforce strong lengths.

Configure Account Lockout Policies

Account lockout policies prevent brute-force attacks by temporarily locking an account after too many failed login attempts.

  1. In secpol.msc, navigate to Account Policies → Account Lockout Policy
  2. Configure the following:
    • Account lockout threshold -- Set to 5 invalid login attempts
    • Account lockout duration -- Set to 30 minutes
    • Reset account lockout counter after -- Set to 30 minutes

This means if someone (or a bot) enters the wrong credentials 5 times, the account locks for 30 minutes. This dramatically slows down brute-force attacks while giving legitimate users a reasonable window to try again.

Create Separate User Accounts

One of the biggest security mistakes in small businesses is everyone sharing one administrator account. Every person should have their own user account, and most users should not have administrator privileges.

Create Standard User Accounts

  1. Open Settings (Win + I)
  2. Go to Accounts → Other users
  3. Click "Add other user" or "Add account"
  4. Follow the prompts to create the account
  5. Under Account type, select "Standard User" (not Administrator)

Why Standard Accounts Matter

Standard user accounts can't:

  • Install software system-wide
  • Modify system settings
  • Access other users' files
  • Disable security features

This means if a standard user accidentally downloads malware, the damage is contained to their account. The malware can't install itself at the system level or spread to other users' data.

Manage Administrator Access

Keep administrator accounts to an absolute minimum. Ideally:

  • One dedicated admin account for system management (not used for daily work)
  • Standard accounts for everyone -- including the business owner for their daily tasks
  • Never use the built-in "Administrator" account for daily work

Disable the Built-in Administrator Account

  1. Press Win + R, type lusrmgr.msc, and press Enter
  2. Click Users
  3. Right-click the Administrator account
  4. Select Properties
  5. Check "Account is disabled"
  6. Click OK

Use a Credential Manager

Enforcing strong, unique credentials for every account is impossible without a dedicated manager tool. When Windows requires 12+ character complex strings that change periodically, your team needs a tool to keep track.

Recommended managers for businesses:

  • 1Password Business -- Excellent team sharing and admin controls
  • Bitwarden -- Open-source, affordable, and self-hosting option
  • Keeper -- Strong compliance features and secure file storage

A credential manager lets your team:

  • Generate unique, complex credentials for every account
  • Auto-fill login details so nobody takes shortcuts
  • Securely share access when needed
  • Instantly revoke access when someone leaves

Restrict Access to Sensitive Files and Folders

Not every employee needs access to everything. Windows 11 lets you set permissions on files and folders so people only see what they need.

Set Folder Permissions

  1. Right-click the folder you want to protect
  2. Select Properties → Security tab
  3. Click Edit to change permissions
  4. Click Add to add specific users or groups
  5. Set appropriate permissions:
    • Read -- Can view files but not modify them
    • Read & Execute -- Can open and run files
    • Modify -- Can edit and delete files
    • Full Control -- Complete access (reserve for admins only)
  6. Remove unnecessary users from the permission list

Enable BitLocker Drive Encryption

Strong credentials don't help if someone steals the physical hard drive and reads the data directly. BitLocker encrypts your entire drive so data is unreadable without proper authentication.

  1. Open Control Panel → System and Security → BitLocker Drive Encryption
  2. Click "Turn on BitLocker" for your system drive
  3. Choose how to unlock: PIN or USB key
  4. Save your recovery key -- print it or save to a USB drive (not on the encrypted drive itself)
  5. Choose "Encrypt entire drive" for maximum security
  6. Select "New encryption mode" for fixed drives
  7. Click Start encrypting

Don't Forget

Store your BitLocker recovery key somewhere safe and separate from the computer. If you lose both your unlock method and the recovery key, the data on the drive is permanently inaccessible -- by design.

Quick Security Checklist

Here's a summary of everything you should configure on each Windows 11 business computer:

  • Minimum 12-character credentials with complexity enabled
  • Account lockout after 5 failed attempts
  • Separate user accounts for each employee
  • Standard (non-admin) accounts for daily use
  • Built-in Administrator account disabled
  • Credential manager deployed for the team
  • File permissions set on sensitive folders
  • BitLocker encryption turned on
  • Multi-factor authentication enabled on all accounts

These steps don't require any special software or expensive tools -- they're all built into Windows 11. Taking an hour to configure them properly can prevent the kind of breach that costs businesses thousands of dollars and weeks of recovery time.

Want help configuring these settings across all your business computers? Contact our team and we'll get your entire organization locked down properly.