Specops Software presents: SECURE YOUR
WINDOWS
ENTERPRISE WITH
STRONG PASSWORD
MANAGEMENT
By Derek Melber, MCSE, MVP
: WHITE PAPER
Secure Your Windows Enterprise with Strong Password Management ..................................... 3 Windows Default Password Requirements.............................................................................................3 Windo ws Server 2008 Fine-Grained Password Policies .......................................................................3 Strong and Secure Password: Defined ................................................................................................... 4 Enforcing Strong and Secure Passwords ................................................................................................5 Users Control Their Password................................................................................................................ 6 About the author: ................................................................................................................................... 6 Secure your Windows Enterprise with Strong Password Management
2
: WHITE PAPER
Secure Your Windows Enterprise with Strong Password
Management
Security gurus will tell you that weak passwords possess the highest security risk to a computer and the
network. A weak or non-existent password for any user account, specifically a user account that has
administrative privileges, can lead to data exposure, destruction of data, or a complete take over of all
computers on the network. Creating and forcing a strong password management environment is
essential for every computing environment, especially your Windows Active Directory environment.
If a strict password policy is not considered and deployed, the foundation of the computing security is
in jeopardy. There are misconceptions about what a strong password policy should entail. With
configurations around complexity, length, character types, password age, and password reset, it is no
wonder that a strong password policy definition is hard to identify. With years of research and analysis
a strong password policy is now easy to define and with the proper tools in place for your Active
Directory environment, it is also easy to implement and enforce.
Windows Default Password Requirements
Starting with a Windows Active Directory Server 2003 domain, Microsoft now forces user account
passwords to contain at least some characters and not be blank. Windows passwords must meet a
baseline of password security settings before they can be established or reset. There are 5 essential
password settings that can be set, all of which are pre-configured for the latest Windows
environments:
Password Setting
Default Configuration
Minimum password length
Password complexity
Minimum password age
Maximum password age
Password history
7 characters
Enabled
1 day
42 days
24 passwords
For Windows Server 2000 and 2003 Active Directory domains, there can only be one password policy
for all user accounts in the domain. This limitation means that standard users and administrators will
be bound by the same password settings, even if one set of users should have a more stringent
password policy.
Windows Server 2008 Fine-Grained Password Policies
If you have an Active Directory domain that only contains Windows Server 2008 domain controllers,
you have the capability of configuring multiple password policies in the same domain. This capability
is not implemented through Group Policy, like it has been in the past, rather it is implemented by
adding new Active Directory objects via ADSIEdit. The same password policy setting options are
available, but now IT administrators can have a password policy that is stricter than the password
policy that controls standard users.
Secure your Windows Enterprise with Strong Password Management
3
: WHITE PAPER
The configuration of fine-grained password
policies is done using ADSIEdit or some other
Windows LDAP compliant tool. This requires
knowledge of Active Directory objects, types, and
input format. Figure 1 illustrates one of the
entries that is required for the configuration of a
fine-grained password policy using ADSIEdit.
Figure 1. Fine Grained Password Policies for Windows
Server 2008 are configured using ADSIEdit by default.
Specops Password Policy Basic
takes the complexity out of
configuring fine-grained password
policies by offering a GUI to make
all of your configurations, as
illustrated in Figure 2.
Figure 2. Specops Password Policy Basic configures fine-grained
password policies for Windows Server 2008.
Strong and Secure Password: Defined
With the research and analysis that has been done over the years with regard to passwords, the
outcome is that passwords can be protected with the right policies in place. The policies must enforce
that passwords meet certain criteria, to protect against hackers and their tools. Strong and secure
passwords should meet the following criteria:




Not be in any dictionary list
Be well over 15 characters, 20 is a good length
Require all four types of characters in the password
Not include the user account name or logon name
Secure your Windows Enterprise with Strong Password Management
4
: WHITE PAPER



Be in form of a pass phrase, such as “I wish I owned a Porsche 930 Turbo!”
Don’t allow incremental passwords
Change passwords often
Enforcing Strong and Secure Passwords
The Microsoft Password Policy and fine-grained password policy solutions provide only a few of the
requirements to enforce strong and secure passwords, not close to controlling all of them. More and
more companies and government agencies are developing password policies that can not be controlled
by the Microsoft solutions. There are some government and educational published password mandates
that can not be met with the Microsoft password policy solutions, such as:
http://www.nersc.gov/nusers/accounts/password.php#doerules
There are many companies, educational institutes, and government agencies that are requiring
password mandates that can’t be met with standard Microsoft solutions, such as:
Berkeley
CalState Pomona
Cornell
Custom password filters can be developed and placed within the Active Directory environment to
bridge the gap, but these are costly and require advanced knowledge of the authentication protocols,
Active Directory architecture, and C++ or other programming languages. Then once developed they
need to be implemented, managed, and supported. The most efficient and effective solution of the
enforcement of strong and secure password policies can be accomplished by Specops Password Policy,
which provides the following basic features of a strong and secure password:








Configure different password policies in
the same Active Directory domain (IE.
IT , sales, and executives each have a
different password policy)
Include a dictionary list so users can’t
use these words
Force password length greater than 15
characters
Require all four types of characters in
the password
Require at least “a, x, y, and z” number
of characters from each character type
Not include the user account name or
logon name
Don’t allow incremental passwords
Many more…
Secure your Windows Enterprise with Strong Password Management
5
: WHITE PAPER
Users Control Their Password
A long time issue with user account passwords is when they need to be reset. Often, a user account
password will get locked out, will expire, or will require attention from the IT or Help Desk staff.
Resetting passwords for users can be time consuming and costly for both the IT staff and end user. To
complicate matters the password that is established for the user must be communicated securely, then
immediately changed by the user so the IT staff member does not know the password. These issues can
be and are solved by innovative technology like Specops Password Reset. Password Reset is configured
using Group Policy and provides the end user with a Web-based interface to control the resetting of
their password. The ability to reset the password is secured by the end user enrolling in the service by
answering unique and private questions, then communicating with an encrypted interface to answer
the questions and reset the password. Password Reset will reduce the administrative overhead that
comes with routine IT staff helping end users with resetting their passwords, as well as Password Reset
will increase security of data by eliminating the IT and Helpdesk staff from ever knowing the end user
password.
About the author:
Derek Melber is President of BrainCore.Net, where he does authoring, speaking, and consulting for some of the
largest companies in the world. Derek is author of the Microsoft Press “Group Policy Resource Kit” and one of
only 8 Group Policy MVPs in the world. Derek evangelizes and educates on Microsoft Windows Active Directory,
Group Policy, security, and desktop management. You can reach Derek at [email protected].
Secure your Windows Enterprise with Strong Password Management
6