Construct a solid Active Directory password policy (original) (raw)
Most user authentication still relies on a strong password to keep attackers at bay. Here's how to keep your guard up without adding to your administrative workload.
The information technology landscape offers many different methods to authenticate users, including digital certificates, one-time password tokens and biometrics.
However, there is no escaping the ubiquity of the password. The best Active Directory password policy for your organization should meet the threshold for high security and end-user satisfaction while minimizing the amount of maintenance effort.
Password needs adjust over time
Before the release of Windows Server 2008, Active Directory (AD) password policies were scoped exclusively at the domain level. The AD domain represented the fundamental security and administrative boundary within an AD forest.
The guidance at the time was to give all users within a domain the same security requirements. If a business needed more than one password policy, then your only choice was to break the forest into one or more child domains or separate domain trees.
Windows Server 2008 introduced fine-grained password policies, which allow administrators to assign different password settings objects to different AD groups. Your domain users would have one password policy while you would have different policies for domain administrators and your service accounts.
More security policies mean more administrative work
Deploying multiple password policies within a single AD domain allows you to check your compliance boxes and have additional flexibility, but there are trade-offs. First, increasing the complexity of your Active Directory password policy infrastructure results in greater administrative burden and increased troubleshooting effort.
Second, the more intricate the password policy, the unhappier your users will be. This speaks to the information security counterbalance between security strength on one side and user convenience on the other.
What makes a quality password? For the longest time, we had the following recommendations:
- minimum length of 8 characters;
- a mixture of uppercase and lowercase letters;
- inclusion of at least one number;
- inclusion of at least one non-alphanumeric character; and
- no fragments of a username.
Ideally, the password should not correspond to any word in any dictionary to thwart dictionary-based brute force attacks. One way to develop a strong password is to create a passphrase and "salt" the passphrase with numbers and/or non-alphanumeric characters.
Ideally, the password should not correspond to any word in any dictionary to thwart dictionary-based, brute force attacks.
The key to remembering a passphrase is to make it as personal as possible. For example, take the following phrase: The hot dog vendor sold me 18 cold dogs.
That phrase may have some private meaning, which makes it nearly impossible to forget. Next, we take the first letter of each word and the numbers to obtain the following string: Thdvsm18cd.
If we switch the letter s with a dollar sign, then we've built a solid passphrase of Thdv$m18cd.
Striking the right balance
One piece of advice I nearly always offer to my consulting clients is to keep your infrastructure as simple as possible, but not too simple. What that means related to your Active Directory password policy is:
- keep your domains to a minimum in your AD forest;
- minimize your password policies while staying in compliance with your organizational/security requirements;
- relax the password policy restrictions; and
- encourage users to create a single passphrase that is both easy to remember but hard to guess.
Password guidelines adjust over time
Relax the password policy? Yes, that's correct. In June 2017, the National Institute of Standards and Technology (NIST) released Special Publication 800-63B, which presented a more balanced approach between usability and security.
When you force your domain users to change their passwords regularly, they are likely to reuse some portion of their previous passwords, such as password, password1, password2, and so forth.
The new NIST guidance suggests that user passwords:
- range between 8 and 64 characters in length;
- have the ability to use non-alphanumerics, but do not make it a requirement;
- prevent sequential or repeating characters;
- prevent context-specific passwords such as user name and company name;
- prevent commonly used passwords; and
- prevent passwords from known public data breaches.
Boost password quality with help from tools
These are great suggestions, but they are difficult to implement with native Active Directory password policy tools. For this reason, many businesses purchase a third-party password management tool, such as Anixis Password Policy Enforcer, ManageEngine ADSelfService Plus, nFront Password Filter, Specops Password Policy, Thycotic Secret Server and Tools4ever Password Complexity Manager, to name a few.
Third-party password policy tools tap into the cloud to take advantage of public identity breach databases, lists of the most common passwords and other sources to make your domain password policy much more contemporary and organic. It's worth considering the cost of these products when you consider the potential loss from a data breach that happened because of a weak password.