With cyberattacks exploding around the world, it’s more important than ever for organizations to have a robust?password policy
. Hackers often gain access to corporate networks through legitimate user or admin credentials, leading to security incidents and compliance failures. In this article, we will explore how to create and maintain a strong and effective?Active Directory?password policy.
How Attackers Compromise Corporate Passwords
Adversaries use a variety of techniques to compromise corporate passwords, including the following:
- Brute force attack?— Hackers run programs that enter various potential passwords for a particular user account until they hit upon the right one.
- Dictionary attack?— This is a specific form of brute force attack that involves trying words found in the dictionary as possible passwords.
- Password spraying attack?— Adversaries try common passwords against multiple user accounts to see if they work.
- Credential stuffing attack?— Hackers use automated tools to enter lists of credentials against various company login portals.
- Spidering?— Adversaries collect as much information as possible about a hacking target and then try out passwords created using that data.?
How to View and Edit Active Directory Password Policy
To defend against these attacks, organizations need a strong Active Directory password policy. Password policies define rules for password creation, such as minimum length, complexity (like whether a special character is required) and the length of time the password lasts before it must be changed to a different one.
To configure a domain password policy, admins can use Default Domain Policy, a Group Policy Object?(GPO) that contains settings that affect all objects in the domain. To view or edit this GPO:
- Open the Group Management?Console (GPMC).
- Expand the Domains folder, choose the domain whose policy you want to access and choose?Group Policy Objects.
- Right-click the Default Domain Policy folder and click?Edit.
- Navigate to?Computer Configuration?à Policies?à Windows Settings?à Security Settingsà Account Policies?à Password Policy.?
Alternatively, you can access your domain password policy by executing the following PowerShell command:
Get-ADDefaultDomainPasswordPolicy
Remember, any changes you make to a domain’s default password policy apply to every account in that domain. You can create and manage fine-grained password policies using the Active Directory Management Center (ADAC) in Windows Server.?
Understanding AD Password Policy Settings
Here are the six password policy settings and their default values:
- Enforce password history?— Default is?24.?This setting specifies the number of unique passwords users must create before reusing an old password. Keeping the default value is recommended to reduce the risk of users having passwords that have been compromised.
- Maximum password age?— Default is?42.?This setting establishes how long a password can exist before the system forces the user to change it. Users typically get a pop-up warning when they reach the end of their password expiration period. You can check this setting through PowerShell by executing the command?net user USERNAME/domain. Keep in mind that forcing frequent password changes can lead to users writing their passwords down or simply appending the month to a stem word they reuse, practices that actually increase security risks. Setting “Maximum password age” to 0 means that passwords never expire (which is generally not recommended).
- Minimum password age?— Default is?1 day.?This setting specifies how long a password must exist before the user is permitted to change it. Setting a minimum age keeps users from resetting their password repeatedly to circumvent the “Enforce password history” setting and reuse a favorite password immediately.
- Minimum password length?— Default is?7. This setting establishes the fewest number of characters a password can have. While shorter passwords are easier for hackers to crack, requiring really long passwords can lead to lockouts from mistyping and to security risks from users writing down their passwords. Best practices recommend a minimum password length of at least 8.
- Complexity requirements?— Default is?Enabled. This setting details the types of characters a user must include in a password string. Best practices used to recommend leaving this setting enabled, but password length is now seen as a better strategy than complexity or frequent changes. Complexity requirements typically require the password to include a mix of:
- Upper or lowercase letters (A through Z and a through z)
- Numeric characters (0–9)
- Non-alphanumeric characters like $, # or %
- No more than two symbols from the user’s account name or display name
- Store passwords using reversible encryption?— Default is?Disabled.?This setting offers support for apps that require users to enter a password for authentication. Admins should keep this setting disabled because enabling it would allow attackers familiar with how break this encryption to log into the network once they compromise the account. As an exception, you can enable this setting when using Internet Authentication Services (IAS) or the Challenge Handshake Authentication Protocol (CHAP).
Fine-Grained Policy and How It’s Configured
Older versions of AD allowed the creation of just one password policy for each domain. The introduction of fine-grained password policies (FGPP) has made it possible for admins to create multiple password policies to better meet business needs. For example, you might want to require admin accounts to use more complex passwords than regular user accounts. It’s important that you define your organizational structure thoughtfully so it maps to your desired password policies.
While you define the default domain password policy within a GPO, FGPPs are set in password settings objects (PSOs). To set them up, open the ADAC, click on your domain, navigate to the System folder and then click on the Password Settings Container.
NIST SP 800-63 Password Guidelines
The National Institute of Standards (NIST) is a federal agency charged with issuing controls and requirements around managing digital identities.?Special Publication 800-63B
?covers standards for passwords. Revision 3 of SP 800-63B, issued in 2017 and updated in 2019, is the current standard.
These guidelines provide organizations with a foundation for building a robust password security infrastructure. NIST recommendations include the following:
- Require user-generated passwords to be at least 8 characters long (6 for machine-generated ones).
- Allow users to create passwords up to 64 characters long.
- Allow users to use any ASCII/Unicode characters in their passwords.
- Disallow passwords with sequential (“12345” or “abcd”) or repeated (“kkkk”) characters.
- Do?not?require frequent password changes.?Although for years, many organizations have required users to change their passwords frequently, this policy often leads to users making incremental changes to a base password, writing their passwords down, or experiencing lockouts because they forget their new passwords. Accordingly, the latest NIST 800-63B standards call for using password expiration policies carefully. More recent research suggests that better alternatives include using banned password lists, using longer passphrases and enforcing multi-factor authentication (MFA) for additional security.
AD Password Policy Best Practices
Summary of Best Practices
- Set a minimum password length of at least 8 characters.
- Enforce a password history policy that looks back at the last 10 passwords of a user.
- Make the minimum password age 3 days to keeps users from quickly rotating through historical passwords and setting a previous one.
- Check proposed new passwords against banned password lists, lists of breached passwords and password dictionaries.
- Reset local admin passwords every 180 days (consider using the?free Netwrix Bulk Password Reset tool
?for that).
- Reset device account passwords at least once per year.
- Require passwords for domain admin accounts to be at least 15 characters long.
- Set up email notifications to let users know passwords are about to expire (the free?Netwrix Password Expiration Notifier
?tool can help).
- Consider creating granular password policies
?to link with specific organizational units instead of editing the Default Domain Policy settings.
- Consider using?password management tools
?to store passwords.
- Enable users them to?change passwords via a web browser
?and help them pick compliant new passwords.
- Set up account lockout policies to avoid brute force attacks.
?? 80% of data breaches are the result of poor or reused passwords (Verizon Data Breach Report). These password policy best practices will help you establish strong security in your Active Directory. Grab your free copy
.?
?? Learn more about why weak passwords pose a serious threat — and how to reduce your risk.
Watch the recorded session
with Brian Johnson (CISSP, OSCP and president of 7 Minute Security) to find out how weak the passwords are in your organization, and what you can do to strengthen this part of your security strategy.
During this session, you'll learn:
- How you can manually audit your environment for weak and common passwords
- Where to download lists of weak and common passwords
- “Hidden” places on the network (like Active Directory, Group Policy objects and file shares) where passwords often live unbeknownst to sysadmins — but not hackers!
- How you can enforce granular password policies to significantly reduce your risk from password attacks
??? Netwrix makes data security easy. Since 2006, Netwrix solutions
have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.
For more information, visit www.netwrix.com
.
Team Leader/ Operation Engineer at Benyun Engineering Technology
1 年HELPS A LOT TO UNDERSTAND
Technical Solution Architect | IAM | Cybersecurity | Zero Trust | Discovery/ESI Consultant | Public Speaker
1 年Great stuff!