SECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT



Similar documents
Securing Active Directory Correctly

Top 10 Security Hardening Settings for Windows Servers and Active Directory

Desktop Web Access Single Sign-On Configuration Guide

Password Policy Enforcer

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Installing, Configuring, and Managing a Microsoft Active Directory

Delegated Administration Quick Start

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

e-governance Password Management Guidelines Draft 0.1

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

Windows Password Change Scenarios

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Active Directory LDAP

SQL Server Hardening

Workplace-as-a-Service BYOD Management

Activity 1: Scanning with Windows Defender

Q&A. DEMO Version

Getting the Most From. Your Help Desk

The City of New York

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Table of Contents. Introduction. Audience. At Course Completion

Next-Gen Monitoring of Active Directory. Click to edit Master title style

Windows Remote Access

AD Self Password Reset Installation and configuration

(A) User Convenience. Password Express Benefits. Increase user convenience and productivity

Effective Ways to Manage User Life Cycle in Active Directory

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

Server-based Password Synchronization: Managing Multiple Passwords

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Security. TestOut Modules

THE POWER OF GROUP POLICY

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

FileCloud Security FAQ

Windows Operating Systems. Basic Security

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Softerra Adaxes Enterprise Directory Solution

AD Self-Service Suite for Active Directory

Best Practices for an Active Directory Migration

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Feature and Technical

In this topic we will cover the security functionality provided with SAP Business One.

Administering Windows Server 2012

Last Updated: July STATISTICA Enterprise Server Security

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

Configuring and Using the TMM with LDAP / Active Directory

Management of Hardware Passwords in Think PCs.

Integrating LANGuardian with Active Directory

End User Configuration

Windows Server 2008/2012 Server Hardening

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

Auditing Security and Controls of Windows Active Directory Domains

How To Deploy Cisco Jabber For Windows On A Server Or A Network (For A Non-Profit) For A Corporate Network (A.Net) For Free (For Non Profit) For An Enterprise) Or

Active Directory Compatibility with ExtremeZ-IP

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Filtering remote users with Websense remote filtering software v7.6

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

COURSE 20411D: ADMINISTERING WINDOWS SERVER 2012

IBM Tivoli Access Manager for Enterprise Single Sign-On

Basic Exchange Setup Guide

Oracle Database Security

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

SECURITY DOCUMENT. BetterTranslationTechnology

Quality Management Consultancy

External Authentication with Citrix Access Gateway Advanced Edition

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

411-Administering Windows Server 2012

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Introduction. PCI DSS Overview

Chapter 1 Scenario 1: Acme Corporation

XIA Configuration Server

Coveo Platform 7.0. Microsoft Active Directory Connector Guide

True Continuous Auditing for Active Directory Derek Melber

How Reflection Software Facilitates PCI DSS Compliance

How To Secure Your Data Center From Hackers

Security Assertion Markup Language (SAML) Site Manager Setup

SAML-Based SSO Solution

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

identity management in Linux and UNIX environments

1 Introduction 2. 2 Document Disclaimer 2

Administering Windows Server 2012

Administration Guide BES12. Version 12.3

Implementing and Supporting Microsoft Windows XP Professional

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Connecting to the FILTER Virtual Private Network (VPN)

Transcription:

Specops Software presents: SECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT By Derek Melber, MCSE, MVP

Secure Your Windows Enterprise with Strong Password Management... 3 Windows Default Password Requirements...3 Windo ws Server 2008 Fine-Grained Password Policies...3 Strong and Secure Password: Defined... 4 Enforcing Strong and Secure Passwords... 5 Users Control Their Password... 6 About the author:... 6 Secure your Windows Enterprise with Strong Password Management 2

Secure Your Windows Enterprise with Strong Password Management Security gurus will tell you that weak passwords possess the highest security risk to a computer and the network. A weak or non-existent password for any user account, specifically a user account that has administrative privileges, can lead to data exposure, destruction of data, or a complete take over of all computers on the network. Creating and forcing a strong password management environment is essential for every computing environment, especially your Windows Active Directory environment. If a strict password policy is not considered and deployed, the foundation of the computing security is in jeopardy. There are misconceptions about what a strong password policy should entail. With configurations around complexity, length, character types, password age, and password reset, it is no wonder that a strong password policy definition is hard to identify. With years of research and analysis a strong password policy is now easy to define and with the proper tools in place for your Active Directory environment, it is also easy to implement and enforce. Windows Default Password Requirements Starting with a Windows Active Directory Server 2003 domain, Microsoft now forces user account passwords to contain at least some characters and not be blank. Windows passwords must meet a baseline of password security settings before they can be established or reset. There are 5 essential password settings that can be set, all of which are pre-configured for the latest Windows environments: Password Setting Minimum password length Password complexity Minimum password age Maximum password age Password history Default Configuration 7 characters Enabled 1 day 42 days 24 passwords For Windows Server 2000 and 2003 Active Directory domains, there can only be one password policy for all user accounts in the domain. This limitation means that standard users and administrators will be bound by the same password settings, even if one set of users should have a more stringent password policy. Windows Server 2008 Fine-Grained Password Policies If you have an Active Directory domain that only contains Windows Server 2008 domain controllers, you have the capability of configuring multiple password policies in the same domain. This capability is not implemented through Group Policy, like it has been in the past, rather it is implemented by adding new Active Directory objects via ADSIEdit. The same password policy setting options are available, but now IT administrators can have a password policy that is stricter than the password policy that controls standard users. Secure your Windows Enterprise with Strong Password Management 3

The configuration of fine-grained password policies is done using ADSIEdit or some other Windows LDAP compliant tool. This requires knowledge of Active Directory objects, types, and input format. Figure 1 illustrates one of the entries that is required for the configuration of a fine-grained password policy using ADSIEdit. Figure 1. Fine Grained Password Policies for Windows Server 2008 are configured using ADSIEdit by default. Specops Password Policy Basic takes the complexity out of configuring fine-grained password policies by offering a GUI to make all of your configurations, as illustrated in Figure 2. Figure 2. Specops Password Policy Basic configures fine-grained password policies for Windows Server 2008. Strong and Secure Password: Defined With the research and analysis that has been done over the years with regard to passwords, the outcome is that passwords can be protected with the right policies in place. The policies must enforce that passwords meet certain criteria, to protect against hackers and their tools. Strong and secure passwords should meet the following criteria: Not be in any dictionary list Be well over 15 characters, 20 is a good length Require all four types of characters in the password Not include the user account name or logon name Secure your Windows Enterprise with Strong Password Management 4

Be in form of a pass phrase, such as I wish I owned a Porsche 930 Turbo! Don t allow incremental passwords Change passwords often Enforcing Strong and Secure Passwords The Microsoft Password Policy and fine-grained password policy solutions provide only a few of the requirements to enforce strong and secure passwords, not close to controlling all of them. More and more companies and government agencies are developing password policies that can not be controlled by the Microsoft solutions. There are some government and educational published password mandates that can not be met with the Microsoft password policy solutions, such as: http://www.nersc.gov/nusers/accounts/password.php#doerules There are many companies, educational institutes, and government agencies that are requiring password mandates that can t be met with standard Microsoft solutions, such as: Berkeley CalState Pomona Cornell Custom password filters can be developed and placed within the Active Directory environment to bridge the gap, but these are costly and require advanced knowledge of the authentication protocols, Active Directory architecture, and C++ or other programming languages. Then once developed they need to be implemented, managed, and supported. The most efficient and effective solution of the enforcement of strong and secure password policies can be accomplished by Specops Password Policy, which provides the following basic features of a strong and secure password: Configure different password policies in the same Active Directory domain (IE. IT, sales, and executives each have a different password policy) Include a dictionary list so users can t use these words Force password length greater than 15 characters Require all four types of characters in the password Require at least a, x, y, and z number of characters from each character type Not include the user account name or logon name Don t allow incremental passwords Many more Secure your Windows Enterprise with Strong Password Management 5

Users Control Their Password A long time issue with user account passwords is when they need to be reset. Often, a user account password will get locked out, will expire, or will require attention from the IT or Help Desk staff. Resetting passwords for users can be time consuming and costly for both the IT staff and end user. To complicate matters the password that is established for the user must be communicated securely, then immediately changed by the user so the IT staff member does not know the password. These issues can be and are solved by innovative technology like Specops Password Reset. Password Reset is configured using Group Policy and provides the end user with a Web-based interface to control the resetting of their password. The ability to reset the password is secured by the end user enrolling in the service by answering unique and private questions, then communicating with an encrypted interface to answer the questions and reset the password. Password Reset will reduce the administrative overhead that comes with routine IT staff helping end users with resetting their passwords, as well as Password Reset will increase security of data by eliminating the IT and Helpdesk staff from ever knowing the end user password. About the author: Derek Melber is President of BrainCore.Net, where he does authoring, speaking, and consulting for some of the largest companies in the world. Derek is author of the Microsoft Press Group Policy Resource Kit and one of only 8 Group Policy MVPs in the world. Derek evangelizes and educates on Microsoft Windows Active Directory, Group Policy, security, and desktop management. You can reach Derek at derekm@braincore.net. Secure your Windows Enterprise with Strong Password Management 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information