How to create and manage an Active Directory Password Policy
Active Directory is the central authentication service in most organizations. By mirroring the organizational structure, Active Directory simplifies how administrators manage users, as well as how they authenticate to the network. In most cases, user authentication requires passwords. While passwords are inherently weak, they are not going away anytime soon. The Active Directory password policy is vital to protecting the network from unauthorized access.
An Active Directory password policy is a set of rules that define what passwords are allowed in an organization, and how long they are valid. The policy is enforced for all users as part of the Default Domain Policy Group Policy object, or by applying a fine-grained password policy (FGPP) to security groups.
Active Directory passwords with FGPP settings can be configured from the Active Directory Administrative Center. The settings provide the same basic options as the password policy in the Default Domain Policy, including password length, age, and complexity requirements. Unfortunately, these passwords are easy to crack thanks to the popularity of password guessing tools and rainbow tables. Additional password settings can be added using third-party password policy tools.
Your information security program is only as good as your weakest password.
How to stay secure
Your information security program, is only as good as your weakest password. If an audit has revealed poor password practices, applying the standard password policy best practices won’t make weak passwords go away. One size does not fit all, so you will have to dig deeper to identify your unique security requirements. The key here is finding a balance between security and usability.
A well-thought-out password policy must consider what is actually taking place in the network. A password audit can help identify the password security risks relevant to your network. You can do this internally, or through an ethical hacking company. If you decide to go the DIY route, there are many free online tools at your disposal. These tools typically allow you to check the NTHash of passwords, stored in Active Directory, against the same password lists available to hackers. For more information on how to audit Active Directory passwords, see the best practice tips on how to audit network passwords.
Once you’ve uncovered the risks, you will be ready to create your own password policy best practices. Each risk you identify will require a specific consideration for prevention.
If passwords are predictable, your policy should block common passwords that are susceptible to attacks. If users are only modifying the last character of their existing password during each password change, your policy should require a minimum number of changed characters. If users are creating passwords they can’t remember, consequently driving calls to the helpdesk, your policy should enforce passphrases which are easier to remember. Unfortunately, FGPP lacks many of these core security capabilities.
With the right tools in place, you can create a policy that reduces the risk of passwords. The policy should suit the different roles in your organization. The people who don’t have access to business-critical data normally do not need to protect their account the same way as someone in the legal, finance, or IT departments. Speak to the business, and come up with a policy that meets their needs, and the security requirements you need. For more helpful guidance, see tips for password policy best practices.
Multiple policies within the same domain
Security gurus will tell you that weak passwords for any account, especially those with access to sensitive data or administrative privileges, could lead to data exposure or a complete takeover of all computers on the network. Standard users and high-security users should not be bound by the same password settings. The motivation goes beyond security when you consider the enforcement of periodic password changes. While it may be necessary for administrators, it can hinder usability for low-privileged users. The goal is to simplify the approach to password security so ordinary users can do a better job at creating passwords, and administrators can provide better protection to high-risk accounts.
For the first 8 years of Active Directory, the only native way of having multiple password policies in your AD forest, was to have multiple domains. Beginning with Windows Server 2008, Microsoft introduced their FGPP feature, which allowed different policies within the same domain. For more information about the functionality, see the fine-grained password policy blog.
Password policy standards
Compliance standards cannot anticipate every organization’s unique needs. In fact, password security requirements from varying compliance bodies include conflicting advice around password expiration, length, and complexity. Luckily, there is one recommendation they have in common: simplify passwords for users, and place the burden on the authentication system.
For far too long, users have been blamed for poor passwords while the traditional password policies that encourage their poor choices have been ignored. Traditional policies are the classic complexity rules: minimum length, case requirements, and numeric/special characters. A new approach requires IT to rethink existing policies alongside a user-friendly authentication system that encourages passphrases and multi-factor authentication, while placing a ban on common passwords. Of course, users also have a long way to go, and IT has the difficult task of educating them on the importance of password security. Password policy changes are most effective alongside training. End-users need to understand the why, so they can make better password choices.
For more information about password policy compliance requirements, including the recommendations from the National Institute of Standards and Technology (NIST), see our NIST Password Standards blog. Unfortunately many of the recommendations from compliance standards cannot be fulfilled with fine-grained password policy.
Are you looking for a third-party password policy solution to increase security? You can enhance password policy security, without sacrificing true Active Directory integration. Specops Password Policy works by extending the functionality of Group Policy with advanced settings beyond traditional policies that can be achieved with fine-grained password policies. The Specops Password Policy administration tools integrate with the native Group Policy Management Console (GPMC) allowing administrators to effectively manage password policies across their organization using familiar tools and procedures.