Windows Active Directory Password Policy

B

Bionic

Expert Member
Joined
Nov 15, 2009
Messages
1,075
Reaction score
105
Location
Deep in the valley, Midrand
Our functional domain level is 2008. We have been implementing the password policy below for many years. Recently we have been required to participate in an annual security assessment. The assessment always fails on our password policy and classifies it as high risk based on customers using incremental passwords....eg. January1..January 2 ...every time it expires. I dont find a way within Windows, including 2016, that can restrict this. Our current policy is...

Enforce: 24
Minimum Age:0 days
Maximum Age: 42 days
Complexity: Enabled
Reversible encryption: Disabled

I would also like to implement a policy that restricts Easy-to-guess passwords, especially "password123"

Do i need to use 3rd party tools to achieve this?

Thanks
 
Bionic said:
Our functional domain level is 2008. We have been implementing the password policy below for many years. Recently we have been required to participate in an annual security assessment. The assessment always fails on our password policy and classifies it as high risk based on customers using incremental passwords....eg. January1..January 2 ...every time it expires. I dont find a way within Windows, including 2016, that can restrict this. Our current policy is...

Enforce: 24
Minimum Age:0 days
Maximum Age: 42 days
Complexity: Enabled
Reversible encryption: Disabled

I would also like to implement a policy that restricts Easy-to-guess passwords, especially "password123"

Do i need to use 3rd party tools to achieve this?

Thanks
Click to expand...

Your policy is not your problem, as much as anyone tries to make it an IT problem, there is no algorithm that is going to be able to counter human ingenuity when it comes to creating lazy passwords.

Firstly, you don't state your minimum password size... I would encourage you to consider 14 right now for user passwords.
As the password length increases, people may resort to increasingly ingenious ways to make lazy passwords. Instead, run an education campaign on how to create hard to guess, easy to remember passwords.

XKCD explains it best: https://xkcd.com/936/
1552038057716.png

Personally, for my own passwords I take 2 randomly generated words of 4-8 characters in length, which usually gets me to 12 characters and then add 4-6 numbers and symbols in a way that allows me to remember the combination.

From an IT standpoint though, consider protecting admin accounts, VPN and Email through MFA.

From an AD database theft POV, consider salting the database.
 
Bionic said:
Our functional domain level is 2008. We have been implementing the password policy below for many years. Recently we have been required to participate in an annual security assessment. The assessment always fails on our password policy and classifies it as high risk based on customers using incremental passwords....eg. January1..January 2 ...every time it expires. I dont find a way within Windows, including 2016, that can restrict this. Our current policy is...

Enforce: 24
Minimum Age:0 days
Maximum Age: 42 days
Complexity: Enabled
Reversible encryption: Disabled

I would also like to implement a policy that restricts Easy-to-guess passwords, especially "password123"

Do i need to use 3rd party tools to achieve this?

Thanks
Click to expand...
Hi Bionic,

I will DM someone you can speak too regarding the password issue you are having. In short you will need to a third party solution that sit in-between the password creation process and the NTDS.DIT database on each of your AD's. You will then need to have a list of banned words such as months, company name, company product, firstname & lastname. If you really want to be more strict you can also ban keyboard walking e.g qwerty and qazxsw.
 
ActivateD said:
Hi Bionic,

I will DM someone you can speak too regarding the password issue you are having. In short you will need to a third party solution that sit in-between the password creation process and the NTDS.DIT database on each of your AD's. You will then need to have a list of banned words such as months, company name, company product, firstname & lastname. If you really want to be more strict you can also ban keyboard walking e.g qwerty and qazxsw.
Click to expand...

Of which each and every one can be bypassed with some ingenuity. As an admin, you're going to be constantly playing catch up with increasingly ingenious bypass procedures.
Stop fighting your users, Educate your users and get them to use their ingenuity FOR you. Win-Win.
 
DMNknight said:
Of which each and every one can be bypassed with some ingenuity. As an admin, you're going to be constantly playing catch up with increasingly ingenious bypass procedures.
Stop fighting your users, Educate your users and get them to use their ingenuity FOR you. Win-Win.
Click to expand...
I am first and always advocated for user training but admins also need to have controls in place either way.
 
ActivateD said:
I am first and always advocated for user training but admins also need to have controls in place either way.
Click to expand...

Yes, Salting password databases, Privileged Access Management, Multifactor authentication and machine learning user behavior analysis.
 
DMNknight said:
Your policy is not your problem, as much as anyone tries to make it an IT problem, there is no algorithm that is going to be able to counter human ingenuity when it comes to creating lazy passwords.

Firstly, you don't state your minimum password size... I would encourage you to consider 14 right now for user passwords.
As the password length increases, people may resort to increasingly ingenious ways to make lazy passwords. Instead, run an education campaign on how to create hard to guess, easy to remember passwords.

XKCD explains it best: https://xkcd.com/936/
View attachment 629352

Personally, for my own passwords I take 2 randomly generated words of 4-8 characters in length, which usually gets me to 12 characters and then add 4-6 numbers and symbols in a way that allows me to remember the combination.

From an IT standpoint though, consider protecting admin accounts, VPN and Email through MFA.

From an AD database theft POV, consider salting the database.
Click to expand...


Hi. Password minimum size is 8 characters. I like your thoughts on the extra characters making it more difficult so we will be considering increasing this. We have 365 and MFA is introduced for all our admins and the next phase will be to have it implemented for all users. We suffered from a few phishing attacks that compromised certain accounts. Thanks
 
DMNknight said:
Of which each and every one can be bypassed with some ingenuity. As an admin, you're going to be constantly playing catch up with increasingly ingenious bypass procedures.
Stop fighting your users, Educate your users and get them to use their ingenuity FOR you. Win-Win.
Click to expand...

I fully agree that we should empower our users however Its easier said than done. Nonetheless we are already doing campaigns on mail vulnerabilities..phishing...spam. Thanks
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X