Password complexity is only useful defence against dictionary attacks, I could remove any admin or user password in the time it takes to reboot any Windows server if allowed access to the console

Just ensure your have your updates done and dont run too many services on any box, shut down any service you dont need etc