How to set up policies for Active Directory passwords

Administrators know that weak passwords pose a risk. With the right policy for Active Directory passwords, business risks can be avoided. In this second article in a three-part series, we would like to point out an appropriate course of action.

Weak passwords are a gateway for cyber criminals. Some incidents from the last few weeks show how great the risk is: for example, after a cyber attack in July 2021, the Anhalt-Bitterfeld district triggered the disaster and the administration was practically incapable of action. In Switzerland, too, the public administration in the canton of Vaud was attacked by hackers in August 2021. In such cases, the victims rarely communicate what the actual cause of the data loss was. However, the probability is high that weak passwords were actually involved, because 95 percent of all cyber attacks are made possible by human errors.

Better deal with passwords

Administrators should therefore take a close look at how passwords are handled in order to rule out risks. In the first part of our three-part series entitled “Auditing Active Directory Passwords Correctly”, we described which compliance requirements companies have to meet with regard to passwords. The General Data Protection Regulation (EU GDPR) Article 32 introduced in 2018 and the IT Security Act (ITSiG) are particularly relevant. There have been several serious security incidents that can be traced back to weak passwords. With an audit, security officers can get an overview of how things are going in their company with regard to password security. A suitable tool that has proven itself in practice is the Specops Password Auditor, which is available free of charge.

Clear dashboard with password-relevant vulnerabilities in Specops Password Auditor (Image source: Specops)Clear dashboard with password-relevant vulnerabilities in Specops Password Auditor (Image source: Specops)

From the overview to action

An audit is an important first step. But it makes sense to take the second step afterwards, that is, active action. We want to go into this in more detail in this article. The Federal Office for Information Security (BSI) gives advice on how to use passwords correctly and points out how important strong passwords are. Similar is the advice of the American National Institute of Standards and Technology (NIST), which was only recently updated and goes beyond that of the BSI. Specifically, NIST advises:

  • Set the maximum password length to at least 64 characters.
  • Skip character composition rules as they put an unnecessary burden on end users.
  • Allow the copy and paste function in password fields to facilitate the use of password managers.
  • Allow the use of all printable ASCII characters and all UNICODE characters (including emojis).

Formulate and enforce password guidelines

In order to implement these sensible measures in your company, you should plan password guidelines and implement them in consultation with the works council and company management. In any case, it is important to have a dialogue with all employees. Everyone should know that weak passwords are dangerous and how important it is to protect yourself, your colleagues and the entire company with strong passwords. In order to achieve this goal, training courses with playful elements (gamification) have proven effective, which do not overwhelm the participants and avoid boredom.

Active Directory (AD) is configured by default with a Default Domain Password Policy. This password policy defines the password requirements for Active Directory user accounts, e. B. the length of the password, age and so on.

One of the best practices of a password policy is to consider the industry-specific and regulatory compliance guidelines that apply to the respective company.

Fine-tuned password guidelines with Specops Password Policy

Specops Password Policy allows administrators to easily and quickly implement the updated recommendations of the security authorities such as BSI or NIST as well as the respective industry regulations on password security and thus to set up finely tuned password guidelines that exactly match the individual needs of a company. Specops Password Policy offers templates that meet the respective compliance requirements and a reporting tool that ensures that the respective standards are met or even exceeded.

Strong passwords with the help of passphrases are made possible with Specops Password PolicyStrong passwords with the help of passphrases are made possible with Specops Password Policy (Image source: Specops)

For each password policy, you can get a close look at how the settings compare to various industry standards mentioned above.

Administrators can easily set up the functionality of group policies and simplify the implementation of the finely tuned password policies and enforce strong passwords using passphrases. Specops Password Policy allows you to enforce strong passwords and at the same time block compromised passwords.

The functions of the Specops Password Policy include personalized lists, lists of compromised passwords and password hash dictionaries. The Breached Password Protection List is a database of more than 2.4 billion compromised passwords, made up of current and past data leaks. It helps to find and remove compromised passwords in a Windows AD environment.

Dynamic feedback for the end user as to whether the chosen password complies with the guidelines.  (Image source: Specops)Dynamic feedback for the end user as to whether the chosen password complies with the guidelines. (Image source: Specops)

Specops Password Policy allows you to block user names, display names, specific words, consecutive characters and incremental passwords and supports passwords that are long but less complex and easy to remember. In addition, well-known patterns such as digits at the beginning and at the end of passwords are prevented.

If you are interested in Specops Password Policy, download a free demo version here or arrange a free consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *