Password Policies
The password strength rules that determine whether the newly inserted password is valid or not, are defined by a password policy. A password must comply with these password strength rules to be set for an account. In short, a password policy is a procedure that encourages the users to set strong passwords or at least use passwords that comply with the company's group policy objectives. You have the option of specifying the below-mentioned standards and rules for a password:
- Minimum and Maximum Password Age
- Enforced Password History
- Minimum Password Length
- Password meeting Complexity Requirements
- Storing Passwords using Reversible Encryption
Default Password Policy
When a domain controller (DC) is configured it comes with a pre-defined set of rules and standards to make sure a password is secure. These are:
You can view your default password policy by following the steps mentioned below:
- Open your "Windows Server Manager". Go to "Tools" and then to "Group Policy Management".
2. In "Group Policy Management", expand your "Forest" -> "Domains" -> "yourdomain.com". Then click on "Default Domain Policy" -> "Settings". Scroll down and in the "Policies" section under "Account Policies/Password Policy", you can see your Password Policy Settings.
Custom Password Policy
Default password policy comes with fundamental level security, but if your company needs a more secure password you have the option of editing the "Default Domain Policy" this can be done by following the steps below:
- Go to "Tools" -> "Group Policy Management", expand "Forest" -> "Domains" -> "yourdomain.com", right-click on "Default Domain Policy" and select "Edit".
2. In "Group Policy Management Editor", under "Computer Configuration", expand "Policies" -> "Windows Settings" -> "Security Settings" -> "Account Policies", then click on "Password Policy".
3. Here, you can change the settings for all of the policies according to your organizational requirement.
Recommended Password Policy Settings
Certain settings are recommended by Microsoft's Security Compliance Toolkit which will improve the security of Active Directory. These recommended settings are:
| Policy | Policy Setting |
| Enforce Password History | 24 |
| Maximum Password Age | 60 or fewer |
| Minimum Password Age | 1 or more |
| Minimum Password Length | 14 |
| Password must meet Complexity Requirements | Enabled |
| Store Passwords Using Reversible Encryption | Disabled |
Is Not Defined the same as Disabled?
The answer to this question is NO. The term “Not Defined" and "Disabled" have their differences. Even if we go to the literal meanings of these terms we'll find out that both these terms are different from each other. However, we can briefly explain these terms by implementing them on our Active Directory.
Now, let us take an example of the policy "Store passwords using reversible encryption". This concept is explained in the steps mentioned below:
- Set "Store passwords using reversible encryption" -> Enabled, the system will store passwords using reversible encryption.
- Set "Store passwords using reversible encryption" -> Not Defined, the system will store passwords using reversible encryption.
- Set "Store passwords using reversible encryption" -> Disabled, the system will not store passwords using reversible encryption.
- Set "Store passwords using reversible encryption" -> Not Defined, the system will not store passwords using reversible encryption.
So, summarizing it, we can see that when the status for the "Store passwords using reversible encryption" policy was changed from "Enabled" to "Not Defined", it kept the last status of "Enable". Similarly, when we changed the status of the "Store passwords using reversible encryption" policy from "Disabled" to "Not Defined", it kept the last status of "Disable".
Password Attacks
Attackers use a number of techniques to compromise passwords, some of these techniques are:
- Brute force Attack. In this technique a hacker runs a program that inserts various password combinations and if you have a weak password then you are at risk of falling prey to this attack.
- Dictionary Attack. This is a special type of brute force attack in which words from a dictionary are used as possible keywords.
- Credential Studding Attack. Attackers use various automated tools that enters a list of credentials against several company login portals.
- A malicious user collects data of a possible target and then tries to generate password combinations using the collected data.
Securing enterprise assets & software
CIS Control 4: Secure Configuration of Enterprise Assets and Software discusses the default configurations of assets and software. Generally, these configurations are set for easy deployment and use rather than security which means having default passwords enabled.
These security configuration updates need to be managed and maintained with configuration updates tracked and approved through a configuration management workflow to maintain records that can be reviewed for compliance and to support audits. CalCom Hardening Suite (CHS) automates this labor-intensive task of security-policy testing and learns the current security configuration and status of each server then states the impact of any policy change on production environments. Using CHS, the policy implementation process becomes a one-time effort which automatically re-hardens servers following any unauthorized change - in real-time - ensuring continuous compliance with security policies.
