Keep your domain user accounts in check or suffer the consequences

In Part 3 of his series on Active Directory security, expert Derek Melber signals a warning about securing user accounts in your domain.

This is the third installment of a four-part series on Active Directory security by expert Derek Melber.

So far we have focused on administrative concepts of your Active Directory network -- dealing with domain controller security and Active Directory delegation. This article is going to turn the focus onto the security of user accounts within the domain. Since, typically, user accounts are targets in most attacks on the network, it is important to protect them. There are numerous configurations that need to be performed to ensure that user accounts are secured to reduce their inherent vulnerability.

Priority one for domain user accounts is to configure account policies

On the list of priorities for securing domain user accounts, configuring account policies is at the top. The account policies are located and configured in one of the Group Policy objects found in your Active Directory domain. The reason that the account policies are so important is that they control the user passwords. Within the account policy, the password minimum length, maximum age, complexity requirements, etc. are set.

It should come as no surprise that many Active Directory enterprises don't have sufficient password policy restrictions. If you run a Windows 2000 Active Directory, or have upgraded from one to Windows Server 2003 Active Directory, there is a good chance that your password requirements are not very secure. Ideally, your policy on passwords should be to make them as long as possible (7 to 14 characters) and not allow repeated passwords. You should also enforce the use of more than one type of character within the password (such as upper case, lower case and numbers).

Challenge: Attempt to change your password to a short, dictionary word, something like "dog." If that fails, try something longer but still common, like "password." If you are successful, try to change it again, making the old and new passwords the same.

Making sure passwords expire

We all are fully aware of the pain involved when we consider all of the usernames and passwords we must remember for work, home and Internet Web sites. To force these passwords to expire is really out of the question, or is it?

With the current password-cracking tools that exist, it is essential to set business passwords to expire after 30 to 45 days. If they are not set to expire within this time, an attacker is given too much time to acquire the essential password information (password hash) and break its code.

IT administrators, developers and executives are notorious for configuring user accounts with passwords that don't expire. Although it's convenient, it is very dangerous -- not only because the password never changes, but if one of those accounts are compromised, the attacker would have either administrative control or access to key company files as an executive.

If you want to challenge your network, run a tool like SomarSoft's DumpSec against all user accounts in the Active Directory database, looking specifically at the user accounts that have "non-expiring passwords."

A common complaint that administrators have is that service accounts and administrator account passwords are hard to manage. However, with a tool like Desktop Standard Corp.'s PolicyMaker, administrator and service account passwords can be changed easily and centrally using Group Policy.


Weak passwords are a top security vulnerability that exist on most Windows networks. It was only with Windows Server 2003 Active Directory domains that more stringent password policies were forced during a default installation. Make sure all account policy settings at your company provide a secure environment to protect against attacks. In the same vein, user accounts with non-expiring passwords is a recipe for disaster. Ensure that all administrator, developer, executive and service account passwords are changed on the same 30- to 45-day interval, like all other user accounts.

Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at 'The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at

Dig Deeper on Microsoft Active Directory Design and Administration



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: