Setting and enforcing a policy for strong passwords should be a top priority for organizations in their cyber hygiene practice. Best practices and recommendations keep being updated since this issue is so critical for attack prevention. In fact, compromised passwords are responsible for 81% of successful attacks.
Changing passwords setting configuration is part of the hardening task. Making sure all machines are configured correctly and that nothing breaks because of the configuration change, makes this task very complex. Many organizations do not change password configuration due to these challenges, resulting in an increased attack surface. To overcome these challenges, we recommend using hardening automation tools. These tools will let you know the impact of each change and will automatically enforce your desired settings on your production.
This guide will screen the recommendations of two cyber industry best practices publishers - the Center for Internet Security (CIS) password setting recommendations and the National Institute of Standard and Technology (NIST) recommendations. CIS recommendations are based on the 2019 CIS Benchmarks. NIST recommendations are taken from the NIST Digital Identity Guidelines, updated in 2020.
This guide will help you build a password policy suitable for your organization. It will cover the following topics:
- Microsoft Local Administrator Password Solution (LAPS).
- Password age and expiration time.
- Local admin password management.
- Password length and complexity.
Microsoft Local Administrator Password Solution (LAPS):
LAPS is a free tool provided by Microsoft for Windows Server environments, that allows organizations to automatically set randomized, strong passwords to domain-attached workstations and Member Servers. The passwords are stored confidently in the domain account and can be accessed from the Active Directory by a sysadmin. The LAPS provides a solution for using an identical password on all domain computers by default.
To install LAPS you need to update the AD schema and the installation of Group Policy Client Side Extension (CSE). This CSE is not installed by default, and it is recommended by the CIS to 'Ensure LAPS AdmPwd GPO Extension / CSE is installed'. This is a key step in managing server types and Group Policy Objects (GPOs) effectively.
Password Age and Expiration Time:
There are two different approaches when setting password's age and expiration time:
CIS Password Age Recommendations:
In the CIS Benchmarks there are 2 rules that address this issue:
- Do not allow password expiration time longer than required by policy - which means that according to the CIS you should set a period that after acceding it, the password should expire
- Ensure ‘Password Settings: Password Age (Days)’ is set to ‘Enabled: 30 or fewer’ (for domain members, and Member Servers).
NIST Password Age Recommendations:
According to the NIST Identity Guidelines, frequent password changes can worsen security, increasing the potential impact of certain types of cyber attacks. NIST claims that since the main challenge in setting a good password is to remember it, and it is often that users must have many different passwords to remember, passwords change policy will result in users changing passwords in predictable patterns.
In this case, if an attacker knows the user's previous password, cracking the new one won't hold a challenge. Therefore, according to NIST, you should avoid requiring a periodic password change.
Local Admin Password Management:
Using the same password on all workstations and Member Servers on deployment is a common practice in many organizations. The main reason for that is the difficulty in managing local Administrator's passwords.
This practice is a major risk to the organizations since if an attacker compromises one system and gets access to its password, he can leverage it to gain access to all other machines using the same password. Therefore, Enabling Local Admin Password Management and installing LAPS will enforce random passwords on each machine and solve this issue.
Note! When enabling a local admin password, if you need to retrieve a local Administrator password and the AD is not available (for example, when recovering from an attack), you won't be able to. In this case, consider using a local password reset tool.
Minimum Password Length & Complexity Requirements:
Password length is critical for lowering the chance of attackers hacking it. Longer passwords take longer to crack, so when they configure the passwords, organizations should take care to ensure they are long enough. The CIS recommends requiring users to set aminimum password length of at least 14 characters long. CIS security configuration is:
Ensure ‘Minimum password length’ is set to ’14 or more character(s)’ (Automated)
The recommended state for this setting is: 14 or more character(s).
Password complexity is a different issue, and in this case, the CIS and NIST hold different approaches complexity requirements policy setting.
CIS password complexity recommendations:
According to the CIS Benchmarks, you should ensure that 'Password must meet complexity requirements' is set to Enabled. This policy will require the user to set his password according to the following rules:
- Password should not contain the user's account name or parts of his full name (more than two consecutive characters).
- Have at least six characters.
- Contain uppercase characters, lowercase characters, digits, and non-alphabetic characters.
While it is reasonable to think that using complex passwords will improve security, NIST suggests a different approach for this issue.
NIST password complexity recommendations:
Research shows that requiring password complexity may actually be a poor security practice. According to NIST, you can predict the patterns most users will use to solve the challenge of adding complexity for their passwords. For example, a common scenario to see is users capitalizing the first letter of their password or adding '1' or '!' at its end. Attackers know those common patterns, and they will use them when trying to decrypt stolen passwords in a brute force attack. In addition, adding complexity will increase user's tendency to reuse passwords, which can further expose them to credential stuffing attack, if one of their accounts have been breached.
For these reasons, password complexity can result in increasing the attack surface. NIST recommends concentrating on minimum password length to lower the attack surface, in addition to following key Windows password guidelines.