Password security: Using Active Directory password policy
Passwords are used everywhere. In this episode of Cyber Work Applied, Infosec Skills author Mike Meyers explains how to implement password security policies that can help keep your organization secure.
How to implement password security policies
What qualities should a secure password policy have? Learn how to implement and enforce a secure password policy in this episode of Cyber Work Applied.
Want to train your employees on password best practices? Download our free password security training toolkit. Want more free materials? Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Password policy demo and walkthrough
Below is the edited transcript of Mike’s password policy demo and walkthrough.
Password security
(0:00-1:06) Let's face it, passwords are everywhere, and in this episode, I want to talk about password security.
I'm not going to get into a big discussion over what are good passwords. You should know that stuff by now. Although, personally, I'm going to put in my own opinion.
As opposed to all this talk about upper and lower case, numbers, exclamation points and all that stuff, I am of the new, cool ilk that likes to type in very, very long passwords. Long sentences make it easier for me to memorize passwords and it makes them harder to crack (see demo: how to crack passwords). But that's not what we're covering today.
Today, we are covering the issue of password security. Now, passwords are all over the place. Not only are we logging into our operating systems, but we also log into servers over the internet. We could be doing all kinds of little things — I've got an SSH server that I need to log into — whatever it might be, the complexity and the mess of passwords makes it very, very hard to keep them secure.
Good password security policy
(1:07-1:26) We will establish a good security policy. A nice written security policy on passwords that tell people what we expect them to do. And we're going to give them good training so that they can keep this in mind whenever they're dealing with passwords.
At an absolute minimum, there are three things I want people to be thinking about when we're talking about our password policies.
Password complexity, expiration and history
(1:27-2:25) Number one is complexity. What do we want people to do regarding the complexity of that password? And that includes password length.
Number two is expiration or age. How often do I want to make people punch in a new password? Does it last 90 days or 30 days? Does it last forever?
And then number three is password history. That pretty much goes with expiration and age. In that case what we're talking about is if I'm making people change passwords every so often, how many passwords do I remember so that the user can't just keep swapping back and forth between, say, two different passwords?
Even with good policies and all that, it can still be a big challenge. In particular, how do I enforce that? How do I make my users throughout my infrastructure do the right thing regarding passwords? Luckily for us, there are a few places where we can do that. And probably one of the best examples is Windows Local Security Policy.
How to use Windows Local Security Policy
(2:26-4:29) I'm going to be doing this within Windows. Pretty much every operating system has some policy feature like this. So, just because I'm doing this in Windows, don't think you can't do this in a Linux Unix environment, a Mac or whatever else you might want to do. Let's go ahead and get started and let's take a look at our Local Security Policy.
Here is the famous Local Security Policy that's been with Windows for, well, a long time. We can do a lot of stuff in here other than just work with passwords, but I want to concentrate on that for right now.
When we go underneath account policies, you'll see it says “password policy.” So, first of all, it'll have a maximum password age. I'm going to set this to change my password every 180 days. The minimum password age on this is zero days, which means I could change my password every day if I wanted to.
Next is going to be the minimum password length. It's going to say, well, we have to have at least seven characters.
The password must meet complexity requirements. Now, these are defined by Windows, which means upper/lower case, numeric, special characters, and that type of thing.
Up at the top, here, means to enforce password history. So, if we have a maximum password age, which means people are going to have to change their password, it's going to remember the last 24 passwords. In my opinion, this is probably the best possible way you could ever think of to have all your users constantly calling your administrators because they can't remember passwords. However, being that as it may, make sure you understand how these work.
The last one is “store passwords using reversible encryption.” You can, if you want to, store passwords in such a way that they could be cracked more easily, and that's all that means. It is not an option that I'm aware anybody wants to use, but it is there.
Now, let's move down here to account lockout policy. We've all logged into Windows, and you forget your password. Then it kind of stalls for a minute. That's not what I'm talking about here. In this case, we're talking about a real lockout.
What should you learn next?
Account Lockout Policy
(4:30-5:44) If we look at how this one's currently set up, it says account lockout threshold, which is five invalid attempts.
After five attempts, if you mess up, you have an account lockout duration of 30 minutes. So get it right, or you will sit around for 30 minutes. Again, this is a really good way to have people constantly calling your administrators. Thirty minutes seems like an awfully long time for me personally.
The last option here is "reset account lockout counter after." Now, that one's a little bit complex. So we've got five strikes, and you're out. You log in once, and you got it wrong. You log in twice, and you got it wrong. Now, you're going to stop because you're trying to figure out your password, so you start to check something or call somebody. This option says how long do we wait before we reset your attempts back to zero? This particular one is set to 30 minutes — a little bit long — but at least we understand what all these different terms mean.
So, the cool part about Local Security Policies is that they allow us to give tight control on anybody who does anything on this system. And, again, pretty much every operating system has a feature set similar to this.
How to use Group Policy Objects for passwords
(5:45-8:28) The downside is — what if I'm in control of a whole bunch of computers? Isn't there some magic way that I can go ahead and say all of your computers must meet these requirements and do this type of stuff? There most certainly is something like that. In particular, if you're using a Windows Active Directory, it's called Group Policy Objects.
To see Group Policy objects working, I've got a copy of Windows Server 2016 that I pulled down from Microsoft. Let's go from our server manager, and if you could scroll through here, you can see a little tool called group policy management.
Now, group policy management is pretty much identical to what you saw with your Local Security Policies on individual systems, with one big difference.
With Group Policy Objects, we can apply them to entire domains if we want to. We can apply them to different sites. We can apply them to groups. We can make our own organizational units.
If I want to make something like all the accountants in Dallas who use laser printers, I can apply Group Policy Objects to even stuff like that. So the real power of this is that I can apply it in a very granular way. Now, keep in mind you've got to have a copy of Windows Server to pull this off, and you have to have an active directory. If you've got all that, let me show you some of the fun we can do.
Right now, I've got this fun little domain called totaltest.local. If we look under my domain, you'll see here's totatest.local. Now, I have a default domain policy that's put in there by Windows during the installation process.
What I'm going to do is click on edit, and I can edit the policies for anybody who logs into the domain. Then I go under Window settings, and you'll see security settings right here. When you look at this, hopefully, you'll see something familiar — account policies, does that look familiar, password policy, account lockout policy? Let's open that up.
We'll click on “password policy.” Enforce password history, maximum password age, minimum age, and everything we saw before in a Local Security Policy is there. Under lockout policy, we have duration, threshold and the reset account lockout counter after.
So, your Group Policy Objects are pretty much identical to what we saw with our local security policy, with one big difference. It can work across an entire active directory. Keep in mind you have to have Windows Server. You must be running Active Directory to take advantage of Group Policy Objects, but it works great.
What should you learn next?
More cybersecurity training resources
Want more free cybersecurity resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free training resources. Check out the latest free cybersecurity courses and resources to keep learning!
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Password security: Using Active Directory password policy
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
- Top 8 Microsoft Teams security issues
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security