Manage Learn to apply best practices and optimize your operations.

Strengthen your Active Directory password policy settings

Weak passwords can create vulnerabilities in your enterprise's security. Creating strong password standards and policies can help protect against threats.

One of the most common questions I get is: How can I enforce strong passwords for my users who don't seem to care...

about security? Weak passwords are no doubt one of the greatest vulnerabilities that threats far and wide seek to capitalize on for ill-gotten gains. Unfortunately, management and other employees often dictate password strategies and that's how many people get into trouble.

Looking at some of the longstanding password Group Policy Objects in Active Directory, many people have them wrong. They believe that the more stringent the better, but that's not always the case. For example, it's not uncommon to see Active Directory policies such as the following:

  • Enforce password history: 730 days
  • Maximum password age: 30 days
  • Minimum password length: 10 characters
  • Password must meet complexity requirements: Enabled
  • Account lockout threshold: 3 attempts

For those of us who have worked in IT for years, it's not a huge deal to change -- and remember -- complex passwords every month. After all, we (usually) know how to create unbreakable passwords and we'll often use password managers to keep up with all of them. Putting ourselves in typical users' shoes, such policies are all but absurd. The underlying problem is that it's easy for us to leave users hanging, assuming they'll know what to do. Or, they can just deal with it because, after all, it's in the name of security.

Many users I speak with haven't had a second's worth of training on how to create complex passphrases. No one has shown them examples of passphrases that are super easy to remember yet shouldn't require changing more than once every 6-12 months (.e.g., Great_year2015!). Active Directory password policy settings and training are often an afterthought because, as many believe, there has to be more to security than just the basics. I've long believed that's not true and more and more research is supporting that theory.

As you work to make your enterprise passwords more resilient, be careful not to get caught up focusing only on your domain passwords. There are other crucial systems in your Windows environment that deserve -- and often don't have -- strong password policies such as:

  • Local Windows accounts that may be exempt from the domain password policy (a common oversight).
  • SQL Server databases running with standard (non-domain) authentication.
  • Virtual machines, including development, QA and staging systems that aren't connected to the enterprise domain but still house production data and are accessible internally nonetheless.
  • Websites and applications -- both internal and external.
  • Firewalls, routers and related network infrastructure systems.

In the end, password standards and policies should be just that -- standards and policies that apply across the board. Windows Server or not, all it takes is one compromised password in your network to create trouble. Spend the coming year nailing down your passwords. First, determine where your risks are. You might already know where you're weak without having to perform a formal assessment or audit. If not, you can use general vulnerability scanners such as Nexpose and LanGuard. Microsoft's free MBSA tool (currently in version 2.3, which happens to support Windows Server 2012 R2) is a decent alternative if you just want to look at your Windows systems. There are also password cracking-specific tools such as those offered by Elcomsoft and L0phtcrack that can uncover -- and demonstrate at a much deeper level -- where your weaknesses are.

Once you determine where things stand with your passwords, it's time to fine-tune your standards and flesh out your policies so that they properly reflect what you're trying to accomplish. Finally, use Active Directory -- or perhaps a third-party password/Active Directory audit tool such as those offered by Avatier, ManageEngine and Netwrix -- to enforce your passwords. Remember, after your password standards and policies are developed, if you start creating exceptions for certain groups of people and systems across the enterprise, that's when trouble can creep in.

This was last published in February 2015

Dig Deeper on Microsoft Active Directory Design and Administration

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I think you hit on a key point when talking about the overly stringent group policies in Active Directory, and how most users have received little or no training on generating complex passwords. The more stringent a group policies such as maximum password age and password history become, the more likely people not trained in generating complex passwords are to come up with easily cracked systems for generating a new, increasingly weak passwords that are easier to remember. In these cases, it may be better for security to relax AD group policies, and provide a little training to the user base on generating complex, secure passwords.
Cancel
Security training should be part of the induction in an organization, having a video covering it and promise of a password audit at any moment.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close