Utilize complex usernames/passwords
It’s very important to use mix of special characters, numbers, upper & lower case letters, non-words and require longer length. Don’t use standard usernames such as administrator, user, user1, test, admin, etc. Avoid creating passwords that include your name, dictionary words or reusing passwords from other accounts. You may want to increase the default minimum length beyond 6 characters. Using simple passwords is the easiest way for someone to compromise your server – do NOT use simple passwords that are vulnerable to brute-force and dictionary attacks.
You can enforce strong/complex passwords and policies at Local Security Policy, Security Settings, Account Policies, Password Policy, see policies including “password must meet complexity requirements” (or this can be done via gpedit.msc, Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy) – the password complexity policy should be enabled by default on Windows Server 2016 but you should verify and adjust policies if needed (such as keeping password complexity enabled but increase the password length policy to a higher number of characters). After changing policies, you should always test your changes.
Also, please note that the “user much change password at next logon” selection box in user properties does not work with RDP sessions. A workaround is to have users manually change their password upon logon by pressing control-alt-end and following the change password prompts within a desktop session.
See following links for additional info:
Make sure to keep this policy Disabled, “Store password using reversible encryption”, as described here: https://technet.microsoft.com/en-us/library/hh994559%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396