Password Policy Best Practices PDF

Preview

Summary

Password_Policy_Best_Practices (3).pdf...

Description

Password Policy Best Practices for Strong Security in AD

How to set password policy in Active Directory A strong password policy is any organization’s first line of defense against intruders. In Microsoft Active Directory, you can use Group Policy to enforce and control many different password requirements, such as complexity, length and lifetime. The default domain password policy is located in the following Group Policy object (GPO): Computer configuration -> Policies -> Windows Settings ->Security Settings -> Account Policies -> Password Policy. Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different organizational units using the Active Directory Administrative Center (DSAC) or PowerShell.

NIST password guidelines The National Institute of Standards and Technology (NIST) offers Digital Identity Guidelines for a sound password policy, including the following recommendations:

Protect your password Many organizations require passwords to include a variety of symbols, such as at least one number, both uppercase and lowercase letters, and one or more special characters. However, the benefit of these rules is not nearly as significant as expected, and they make passwords much harder for users to remember and type. Password length, on the other hand, has been found to be a primary factor in password strength. Accordingly, NIST recommends encouraging users to choose long passwords or passphrases of up to 64 characters (including spaces).

Password age Previous NIST guidelines recommended forcing users to change passwords every 90 days (180 days for passphrases). However, changing passwords too often irritates users and usually makes them reuse old passwords or use simple patterns, which hurts your information security posture. While strategies to prevent password reuse can be implemented, users will still find creative ways around them. Therefore, the current NIST recommendation on maximum password age is to ask employees to create a new password only in the case of a potential threat or suspected unauthorized access.

Passwords especially susceptible to brute force attacks It’s wise to use discourage or prohibit the following passwords:  Easy-to-guess passwords, especially the phrase “password”  A string of numbers or letters like “1234” or “abcd”  A string of characters appearing sequentially on the keyboard, like “@#$%^&”  A user’s given name, the name of a spouse or partner, or other names  The user’s phone number or license plate number, anybody’s birth date, or other information easily obtained about a user (e.g., address or alma mater)  The same character typed multiple times like “zzzzzz”  Words that can be found in a dictionary  Default or suggested passwords, even if they seem strong  Usernames or host names used as passwords  Any of the above followed or preceded by a single digit  Passwords that form pattern by incrementing a number or character at the beginning or end

Best practices for password policy Administrators should be sure to:  Configure a minimum password length.  Enforce password history policy with at least 10 previous passwords remembered.  Set a minimum password age of 3 days.  Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases but it is not recommended.  Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset tool.  Reset service account passwords once a year during maintenance.  For domain admin accounts, use strong passphrases with a minimum of 15 characters.  Track all password changes using a solution such as Netwrix Auditor for Active Directory.  Create email notifications for password expiration. This can be done with the free Netwrix Password Expiration Notifier tool.  Instead of editing the default settings in domain policy, it is recommended to create granular audit policies and link them to specific organizational units.

Additional password and authentication best practices  Enterprise applications must support authentication of individual user accounts, not groups.  Enterprise applications must protect stored and transferred passwords with encryption to ensure hackers won’t crack them.  Users (and applications) must not store passwords in clear text or in any easily reversible form and must not transmit passwords in clear text over the network.  Use multi-factor authentication (MFA) whenever possible to mitigate the security risks of stolen and mishandled passwords.  When employees leave the organization, change the passwords for their accounts.

User education In addition, be sure to educate your users about the following:  It is vital to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you have a lot of different passwords, you can use password management tools, but you must choose a strong master key and remember it.  Be aware of how passwords are sent across the Internet. URLs (web addresses) that begin with “https://” rather than “http://” are more likely to be secure for use of your password.  If you suspect that someone else may know your current password, change it immediately.  Don’t type your password while anyone is watching.  Avoid using the same password for multiple websites containing sensitive information.

Prevent accidents with regular policy audits Regular audits can help you ensure your password policies are protecting your systems against attacks. Events related to Windows Server password policy are recorded in the Security Event Log on the default domain controller. By reviewing these logs, system administrators can determine who made changes to password policy settings, and when and where (on what domain controller) each change happened. For additional important tips on auditing password policy GPOs, see Active Directory Group Policy Auditing Quick Reference Guide. However, native auditing tools won’t show you the most critical details, such as the name of the Group Policy object in which password policy was changed, or the type of action that was performed. Moreover, it’s nearly impossible to understand which policies apply to which groups and identify discrepancies. For effective password policy management, you need software that provides more insight into password policy modifications, such as Netwrix Auditor for Active Directory.

Control password policy and monitor password use with Netwrix Auditor Easily review your password policy settings Be notified about changes to your password policy Keep tabs on user password changes and password resets Quickly find accounts with passwords that never expire or are not required Automatically remind users to change their passwords before they expire

Download Free 20-Day Trial

About Netwrix Netwrix is a software company that enables information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S. For more information, visit www.netwrix.com.

CORPORATE HEADQUARTER:

PHONES:

OTHER LOCATIONS:

300 Spectrum Center Drive Suite 200 Irvine, CA 92618

1-949-407-5125 Toll-free (USA): 888-638-9749

Spain:

+34 911 982608

Netherlands:

+31 858 887 804

Sweden:

+46 8 525 03487

Switzerland:

+41 43 508 3472

France: Germany:

+33 9 75 18 11 19 +49 711 899 89 187

Hong Kong:

+852 5808 1306

Italy:

+39 02 947 53539

565 Metro Place S, Suite 400 Dublin, OH 43017

5 New Street Square London EC4A 3TW

1-201-490-8840

+44 (0) 203 588 3023

SOCIAL:

netwrix.com/social...