Balancing Windows security with reasonable password policies

It seems that weak passwords are at the heart of every large data breach.

I'm actually surprised we don't hear about weak passwords more often. Some of the biggest and most glaring security risks I report on in my work are good old-fashioned weak passwords. I see them on Windows servers and workstations, SQL Server systems, Internet Information Services (IIS), and Outlook Web Access. The risk knows no boundaries.

Many people credit hackers with their elaborate set of techniques that only the brightest of propeller heads can perpetrate. Maybe a few exploits fall into this category, but by and large it's the tried and true weak passwords and other security basics that'll get you every time.

So, what you can do about it? Well, Windows administrators and managers have at their disposal one of the greatest password policy enforcement tools ever built: Microsoft Active Directory. Within AD, you have the ability to control 100% of your Windows-related passwords. This might sound like a no-brainer, but many people still don't take advantage of its benefits. Even standalone systems allow you to use local security policies in Windows and derive the same benefits.

In otherwise secure Windows environments, I often see the basics such as "Password must meet complexity requirements" and "Enforce password history" disabled, while at the same time "Maximum password age" is enabled – much to the chagrin of users. Sometimes I'll even see the exact specifications that Microsoft recommends for strong passwords. Having a 42-day maximum password age may be considered a best practice, but that doesn't mean it's right for your business.

The problem is that many Windows shops have yet to define a reasonable password policy. A ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Server Security How Windows Server 2008 R2 stands up to security checks BitLocker in R2 provides data protection for semi-protected servers Windows AppLocker in R2: Turning conventional security wisdom on its head Windows Server Security Guide Free Windows security tools every admin must have Common causes of Windows server security vulnerabilities Top Windows server hardening standards and guidelines Windows server hardening: How much is enough? Overlooked security in Windows Server 2008 Easing security concerns with Server Core for Windows 2008 Microsoft Active Directory Security Cutting the cost of Windows identity and access management Common Active Directory security oversights Taming the LSASS.exe process for Active Directory performance and security Branch office security: Pros and cons of read-only domain controllers Breaking down the RODC with Windows 2008 Mastering account lockout values in Group Policy How to use a GPO to improve Windows folder security Rights management in Windows: Security expert roundup Windows network rights, password policy and network security testing How to manage network access for single users in AD Microsoft Windows Network Security Are security concerns over cloud computing unfounded? Windows AppLocker in R2: Turning conventional security wisdom on its head Using software restriction policies in Windows IIS gets patched, SQL Server not so much Windows Server Security Guide Free Windows security tools every admin must have Common causes of Windows server security vulnerabilities Cutting the cost of Windows identity and access management Group Policy Object modeling simplifies network security Implementing simple Network Access Protection for Windows Server 2008

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

clear, concise and management-approved policy is essential, yet often ignored because of the political backlash it can cause. Management just doesn't want to deal with it.

Even if you have defined a password policy, you should know that a document in and of itself is not enough. Make sure you have a well-formatted policy that your users know and understand. Also don't overlook all the other passwords that can be exposed in your environment. The password for a non-Windows system can often lead to subsequent exposure, so be sure to educate your users on the value of having different passwords for different systems.

At the end of the day, the password decryption capabilities of tools such as Ophcrack and Elcomsoft's Proactive System Password Recovery can render Windows passwords useless. But that's not the point. One still shouldn't be able to use a good vulnerability scanner such as QualysGuard or Acunetix Web Vulnerability Scanner to crack Windows passwords. If a security consultant or auditor can do it, then a malicious insider or external attacker can do it as well. It's just a matter of time.

Access controls such as passwords are one of the most fundamental aspects of computer and network security, yet today in 2009 we still can't seem to get our arms around it. Politics and lack of management buy-in aside, there's probably no reasonable excuse for having Windows password weaknesses. Make the decision to fix this problem in your business, say, by the end of 2010. Even with all the fancy firewalls, data leak prevention, and malware protection technologies at your disposal, I'm confident that fixing weak passwords across your enterprise - once and for all - will do more to enhance security than all of them combined.

[IMAGE]Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.