Password Policy Best Practices for Active Directory
A password security policy is a collection of guidelines that specify how passwords must be developed inside your company in order to guard against system compromises and data theft. It keeps users from selecting weak passwords that are simple to guess.
Any organization's first line of protection against attackers should be a solid password policy. You may use Group Policy in Microsoft Active Directory to impose and regulate a wide range of password requirements, including length, complexity, and lifespan.
by Dr. Shekhar Pawar
Domain Password Policy Location
For a solid password policy, the National Institute of Standards and Technology (NIST) presents Digital Identity Guidelines, which include the following suggestions:
Computer configuration -> Policies -> Windows Settings ->Security Settings -> Account Policies -> Password Policy
Using the Active Directory Administrative Center (DSAC) or PowerShell, you may set granular rules for various organisational units starting at the Windows Server 2008 domain functional level.
Recommended Password Guidelines
For a solid password policy, the National Institute of Standards and Technology (NIST) presents Digital Identity Guidelines, which include the following suggestions:
Length and difficulty of the Password
- Many businesses need a wide range of symbols in passwords, including at least one number, uppercase and lowercase letters, and one or more special characters.
- The advantage of these regulations, however, is not nearly as great as anticipated, and they make it considerably more difficult for users to remember and write passwords.
- It has been discovered that the key component of password strength is password length.
- NIST is urging users to use lengthy passwords or passphrases of up to 64 characters as a result (including spaces).
Password Age
- NIST standards from the past advised requiring users to update their passwords every 90 days (180 days for passphrases).
- However, overly frequent password changes annoy users and frequently lead to them using basic patterns or outdated passwords, which is bad for your information security posture.
- Users will still discover inventive methods around password reuse prevention techniques, despite the fact that they can be put in place.
- Because of this, the current NIST guideline for maximum password age is to only request a new password from workers in the event of a possible threat or suspected unlawful access.
Particularly vulnerable to brute force assaults are passwords.
It's a good idea to avoid using or forbid the following passwords:
-
Passwords that are simple to guess, notably the term "password"
- a group of letters or numbers, such as "1234" or "abcd"
- a series of keyboard shortcuts, such as "@#$%&," that appear one after another.
- The first name of the user, the name of their spouse or partner, or any additional names
- Any person's birthdate, licence plate number, phone number, or other readily available details about a user (e.g., address or alma mater)
- Numerous types of the same character, for as "zzzzzz"
- Words that are listed in dictionaries
- Even though they look strong, default or recommended passwords
- Passwords made out of usernames or host names
- Any of the aforementioned with a single number after or before it
- Passwords that have a number or character incremented at the beginning or end to build patterns
Guidelines for password policies
Administrators need to make sure that:
-
- Set a password's minimum length.
- enforce the requirement that users recall the last ten passwords they used.
- Decide on a 3-day minimum password age.
- Enable the option that mandates a minimum level of difficulty for passwords. It is not advisable to deactivate this setting for passphrases.
- Every 180 days, reset the local admin passwords.
- Passwords for service accounts should be reset yearly during maintenance.
- Use strong passphrases with a minimum of 15 characters for domain admin accounts.
- Utilize a tool like Netwrix Auditor for Active Directory to keep track of any password changes.
- Create email alerts when a password needs to be changed.
- It is advised to develop granular password rules and associate them with certain organisational entities rather than changing the default values in domain policy.
Additional password and authentication best practices
Below are few additional recommendations:
-
- Enterprise applications must provide individual user account login, not group authentication.
- Enterprise apps must encrypt passwords that are sent and stored in order to prevent hackers from decrypting them.
- Passwords may not be transmitted over the network in clear text by users (or apps), nor may they be stored in plain text or any other easily reversible format.
- When feasible, use multi-factor authentication (MFA) to reduce the security threats posed by passwords that have been lost, stolen, or managed improperly.
- Change the passwords on the accounts of staff members who depart the company.
- By assisting users in selecting new passwords that adhere to standards, proactively alerting them when their passwords are about to expire, and enabling them to change their password in a web browser, you may lessen user annoyance and help desk effort.
User education
Be careful to inform your users of the following as well:
-
- Choose a strong password or passphrase that you can easily remember since it is essential to remember your password without writing it down elsewhere. You may use a password management tool if you often change your passwords, but you must pick a secure master key and keep it in mind.
- Be mindful of how credentials are sent online. Using your password on URLs (web addresses) that start with "https://" rather than "http://" is more likely to be safe.
- Change your password right away if you think someone else might know it.
- Never input your password in plain view of others.
- Use different passwords for different websites that hold important information.
Every business domain has unique mission critical assets and different cybersecurity needs.
We partner for your entire journey of cybersecurity implementation. Business Domain Specific Least Cybersecurity Controls Implementation (BDSLCCI) framework and certification is the solution for cost-effective cybersecurity implementation. Click Here To Know More About BDSLCCI Certification!