Password security: Using Active Directory password policy
Passwords are used everywhere. In this episode of Cyber Work Applied, Infosec Skills author Mike Meyers explains how to implement password security policies that can help keep your organization secure.
How to implement password security policies
What qualities should a secure password policy have? Learn how to implement and enforce a secure password policy in this episode of Cyber Work Applied.
Password security: Using Active Directory password policy | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Password policy demo and walkthrough
Below is the edited transcript of Mike’s password policy demo and walkthrough.
(0:00-1:06) Let’s face it, passwords are everywhere, and in this episode, I want to talk about password security.
I’m not going to get into a big discussion over what are good passwords. You should know that stuff by now. Although, personally, I’m going to put in my own opinion.
As opposed to all this talk about upper and lower case, numbers, exclamation points and all that stuff, I am of the new, cool ilk that likes to type in very, very long passwords. Long sentences make it easier for me to memorize passwords and it makes them harder to crack (see demo: how to crack passwords). But that’s not what we’re covering today.
Today, we are covering the issue of password security. Now, passwords are all over the place. Not only are we logging into our operating systems, but we also log into servers over the internet. We could be doing all kinds of little things — I’ve got an SSH server that I need to log into — whatever it might be, the complexity and the mess of passwords makes it very, very hard to keep them secure.
Good password security policy
(1:07-1:26) We will establish a good security policy. A nice written security policy on passwords that tell people what we expect them to do. And we’re going to give them good training so that they can keep this in mind whenever they’re dealing with passwords.
At an absolute minimum, there are three things I want people to be thinking about when we’re talking about our password policies.
Password complexity, expiration and history
(1:27-2:25) Number one is complexity. What do we want people to do regarding the complexity of that password? And that includes password length.
Number two is expiration or age. How often do I want to make people punch in a new password? Does it last 90 days or 30 days? Does it last forever?
And then number three is password history. That pretty much goes with expiration and age. In that case what we’re talking about is if I’m making people change passwords every so often, how many passwords do I remember so that the user can’t just keep swapping back and forth between, say, two different passwords?
Even with good policies and all that, it can still be a big challenge. In particular, how do I enforce that? How do I make my users throughout my infrastructure do the right thing regarding passwords? Luckily for us, there are a few places where we can do that. And probably one of the best examples is Windows Local Security Policy.
How to use Windows Local Security Policy
(2:26-4:29) I’m going to be doing this within Windows. Pretty much every operating system has some policy feature like this. So, just because I’m doing this in Windows, don’t think you can’t do this in a Linux Unix environment, a Mac or whatever else you might want to do. Let’s go ahead and get started and let’s take a look at our Local Security Policy.
Here is the famous Local Security Policy that’s been with Windows for, well, a long time. We can do a lot of stuff in here other than just work with passwords, but I want to concentrate on that for right now.
When we go underneath account policies, you’ll see it says “password policy.” So, first of all, it’ll have a maximum password age. I’m going to set this to change my password every 180 days. The minimum password age on this is zero days, which means I could change my password every day if I wanted to.
Next is going to be the minimum password length. It’s going to say, well, we have to have at least seven characters.
The password must meet complexity requirements. Now, these are defined by Windows, which means upper/lower case, numeric, special characters, and that type of thing.
Up at the top, here, means to enforce password history. So, if we have a maximum password age, which means people are going to have to change their password, it’s going to remember the last 24 passwords. In my opinion, this is probably the best possible way you could ever think of to have all your users constantly calling your administrators because they can’t remember passwords. However, being that as it may, make sure you understand how these work.
The last one is “store passwords using reversible encryption.” You can, if you want to, store passwords in such a way that they could be cracked more easily, and that’s all that means. It is not an option that I’m aware anybody wants to use, but it is there.
Now, let’s move down here to account lockout policy. We’ve all logged into Windows, and you forget your password. Then it kind of stalls for a minute. That’s not what I’m talking about here. In this case, we’re talking about a real lockout.
Account Lockout Policy
(4:30-5:44) If we look at how this one’s currently set up, it says account lockout threshold, which is five invalid attempts.
After five attempts, if you mess up, you have an account lockout duration of 30 minutes. So get it right, or you will sit around for 30 minutes. Again, this is a really good way to have people constantly calling your administrators. Thirty minutes seems like an awfully long time for me personally.
The last option here is “reset account lockout counter after.” Now, that one’s a little bit complex. So we’ve got five strikes, and you’re out. You log in once, and you got it wrong. You log in twice, and you got it wrong. Now, you’re going to stop because you’re trying to figure out your password, so you start to check something or call somebody. This option says how long do we wait before we reset your attempts back to zero? This particular one is set to 30 minutes — a little bit long — but at least we understand what all these different terms mean.
So, the cool part about Local Security Policies is that they allow us to give tight control on anybody who does anything on this system. And, again, pretty much every operating system has a feature set similar to this.
How to use Group Policy Objects for passwords
(5:45-8:28) The downside is — what if I’m in control of a whole bunch of computers? Isn’t there some magic way that I can go ahead and say all of your computers must meet these requirements and do this type of stuff? There most certainly is something like that. In particular, if you’re using a Windows Active Directory, it’s called Group Policy Objects.
To see Group Policy objects working, I’ve got a copy of Windows Server 2016 that I pulled down from Microsoft. Let’s go from our server manager, and if you could scroll through here, you can see a little tool called group policy management.
Now, group policy management is pretty much identical to what you saw with your Local Security Policies on individual systems, with one big difference.
With Group Policy Objects, we can apply them to entire domains if we want to. We can apply them to different sites. We can apply them to groups. We can make our own organizational units.
If I want to make something like all the accountants in Dallas who use laser printers, I can apply Group Policy Objects to even stuff like that. So the real power of this is that I can apply it in a very granular way. Now, keep in mind you’ve got to have a copy of Windows Server to pull this off, and you have to have an active directory. If you’ve got all that, let me show you some of the fun we can do.
Right now, I’ve got this fun little domain called totaltest.local. If we look under my domain, you’ll see here’s totatest.local. Now, I have a default domain policy that’s put in there by Windows during the installation process.
What I’m going to do is click on edit, and I can edit the policies for anybody who logs into the domain. Then I go under Window settings, and you’ll see security settings right here. When you look at this, hopefully, you’ll see something familiar — account policies, does that look familiar, password policy, account lockout policy? Let’s open that up.
We’ll click on “password policy.” Enforce password history, maximum password age, minimum age, and everything we saw before in a Local Security Policy is there. Under lockout policy, we have duration, threshold and the reset account lockout counter after.
So, your Group Policy Objects are pretty much identical to what we saw with our local security policy, with one big difference. It can work across an entire active directory. Keep in mind you have to have Windows Server. You must be running Active Directory to take advantage of Group Policy Objects, but it works great.
More cybersecurity training resources
Want more free cybersecurity resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free training resources. Check out the latest free cybersecurity courses and resources to keep learning!