Fine grained password management policies and active directory
It’s very easy to shout polarised views out there, especially when it comes to people giving out advice on password good practises! We’ve seen all manner of craziness again in the last few weeks on the internet about people claiming password managers aren’t safe and can’t be trusted and that the world is flat! Well I’m not going to get in a place to take a photo of the horizon because we have satellites in space, so I don’t need to! However, I digress! Password management is the topic here, so let’s try and see why one ring to rule the all doesn’t work here!
Good practice password guidance
We can turn to all manner of sources on this, I’m from the UK so I’m going to go with NCSC!
Some key points from NCSC are as follows:
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication of suspicion of compromise.
- Allow users to reset password easily, quickly and cheaply.
- Put technical defences in place so that simpler passwords can be used.
- Steer users away from predictable passwords – and ban the most common.
- Encourage users to never re-use passwords between work and home.
- Train staff to help them avoid creating passwords that are easy to guess.
- Be aware of the limitations of password strength meters.
- Blacklist the most common password choices
- Monitor failed login attempts… train users to report suspicious activity
- Prioritise administrator and remote user accounts
- Don’t store passwords in plain text format.
- Use account lockout, throttling or monitoring to help prevent brute force attacks
(There’s loads more, and they have made a great infographic – https://www.ncsc.gov.uk/file/1472/download?token=XKMKqHJX)
I can’t cover all of these at once, however I’m going to show how you can use Active Directory Domain Services and Group Policy Objects to start you on your journey here!
Fine-Grained Password Group Policy
Fine grained password policies allow us to configure different password length, history, complexity and account lockout configurations for different sets of users in an active directory domain! Awesome right… so we can carve our user account base into different roles and apply different control configurations! Why do this? Well think about the difference between a standard user account and domain administrators. For a standard user account, we want to help people be productive whilst being secure. The level of access the have should be limited and they need to be able to authenticate sensibly so that they aren’t forced into creating weak passwords (complexity requirements and forcing frequent changes are part of the cause for this!) or writing them down and leaving them on post-it notes!
- We can only define a fine-grained policy can only be assigned to global security groups or user objects
- The domain functional level must be 2008 or higher
- We must be a domain admin to configure this (or configure delegation first)
By default, password policies are set on a domain in the “Default domain policy” and by default they aren’t that strong (change them god dammit!). Let’s jump into the lab and take a look!
Ok so by default on Windows Server 2016 the password policy says 7 characters and complex and can’t be the same as 24 historical passwords and must be changed every 42 days! So, let’s try….
Pa55w0rd! (can you see where I’m going with this?)
Right that’s 9 characters and complex! 😉 but it’s crap and I’d crack that in no time and look, no account lockout is configured! So I can even target an online resource if no one is monitoring the logs… (PRO TIP: reconfigure this and monitor logs 😉 )
So, first things first let’s fix up our domain so it’s in line with some of the good guidance with NCSC.
Fire up Group Policy Management Console (GPMC) and head over to the default domain policy, right click and click EDIT
Now we navigate to Computer Configuration, Policies, Windows Settings, Security Settings. The first thing I’m going to do is change the lockout policy!
I’m going to set this value to 5 attempts, small enough to likely stop a brute force attack but long enough to allow for people like me who make typos (I literally made a typo whilst I wrote that!)
When we click apply we get a recommendation to change the account lockout reset policy and account lockout duration!
I’m going to take that one! 30 minutes is a good balance in my opinion, so it should relieve pressure on the service desk and SOC without causing a huge negative business impact (all things in life are a balance, security is no exception!)
We are now better protected against BRUTE force attacks. Now let’s see what we can do against protecting against credential stuffing and weak passwords:
Navigating to Account Policies, Password Policy we can see the above isn’t awful but it isn’t great (in my opinion). Whilst some standards (and people) will disagree I’d rather see long passwords than force short and complex (looking at you PCI!) so I’m going to configure the following:
So now we have a password policy which I believe will help promote pass phrases without encouraging weak password mods. But hang on a minute, I’m not so sure I’m happy with my domain administrator accounts being like this, we don’t want someone pwning and endpoint that might have cached credentials on it!
Let’s create a new domain admin password policy!
Launch AD Admin Centre
Click on the Tree view on the left-hand menu the navigate to the domain\SYSTEM container:
Expand this and Select Password Settings Container
Right click and click NEW PASSWORD SETTINGS
Now we can configure the policy we desire, for this demo I’ve assigned this policy to the global group “Domain Super Users” which I created in the lab.
And with that we now have a specific password policy for our domain admin users!
Now that’s all I’ve got time for today, but we’ve got loads more to cover in the future including:
- Security Monitoring
- Multi-factor authentication
- Hardware Tokens
- Password Managers
- Password Audits
- Just in time access
We’ll look at these in future blog posts!
With this example we have shown that there can be balance in the force, we can assign different level of controls in line with our levels of access. We can make people’s life’s simpler and safer! Now this isn’t a silver bullet, we’ve only started on our access and identify management journey. But going from the default policy to this is another step along the journey to great business technology enablement!