Understanding the need for security beyond Active Directory password policy

A secure Windows network environment requires all domain users to use strong passwords. To help with this, a system administrator can implement Active Directory password policy to encourage all users to create reliable and secure passwords.

Three password policies — maximum password age, password length, and password complexity — are among the first policies encountered by administrators and users alike in an Active Directory (AD) domain.

But despite the ability to enforce more restrictive password requirements, any best practice for AD password policy alone isn't enough to prevent compromised credentials.

Understanding Active Directory password policy

Active Directory password policies define the rules and requirements for creating and managing user passwords within your network. Admins can adjust these policies to ensure they meet the organization's security standards.

Typically, these policies include parameters such as minimum password length, complexity (e.g., a mix of uppercase and lowercase letters, numbers, and special characters), and password expiration intervals.

These password policies also can enforce AD account lockout thresholds to protect against brute force attacks.

By setting and enforcing robust password policies, admins can take the first step to reduce unauthorized access.

Key features of Active Directory password policies

1. Enforce password history: This setting determines how many unique passwords a user must use before they can reuse a previous one. The default value in AD is 24, meaning users must cycle through 24 different passwords before reusing an old one. This helps prevent password reuse and enhances security.

2. Maximum password age: This specifies the maximum number of days a password can be used before it must be changed. The default setting is 42 days, which means users need to update their passwords every 42 days to prevent long-term use of potentially compromised passwords.

3. Minimum password age: This setting defines the minimum duration a password must be used before it can be changed again. By default, it is set to 1 day. This prevents users from changing their password multiple times in quick succession to bypass the password history requirement.

4. Minimum password length: The minimum number of characters required for a password is set to 7 by default. However, it is recommended to set this to at least 8 characters to improve security by making passwords harder to crack​.

5. Password complexity requirements: When enabled, this setting requires passwords to include a mix of uppercase and lowercase letters, numbers, and special characters. It also ensures that passwords do not contain parts of the username or full name, thereby increasing the difficulty for attackers to guess the password.

6. Store passwords using reversible encryption: This setting, which is disabled by default, allows passwords to be stored in a way that can be decrypted. It should remain disabled unless necessary for certain applications, as enabling it could expose passwords to attackers if they gain access to the encryption method​.

Fine-grained password policies (FGPP)

Fine-grained password policies allow administrators to apply different password policies to different sets of users within the same AD domain. This is useful for setting stricter policies for high-privilege accounts, like administrators, while applying more lenient policies to regular users. FGPPs are created and managed using Password Settings Objects (PSOs) within the Active Directory Administrative Center (ADAC).

AD password policy best practices

1. Adopt strong password policies: Ensure minimum password length is at least 8 characters, enforce complexity requirements, and set reasonable expiration periods.

2. Use FGPP for high-risk accounts: Apply stricter policies to administrative and service accounts to reduce the risk of breaches.

3. Regularly review and update policies: Stay updated with industry standards like the NIST SP 800-63B guidelines, which recommend long, complex passwords and less frequent mandatory changes​.

4. Educate users: Train users on creating strong passwords and the importance of not reusing passwords across multiple sites or systems.

Implementing robust AD password policies is a critical step in securing an organization's digital infrastructure, helping to prevent unauthorized access and protect sensitive information from cyber threats.

Password policy is not enough: Credential misuse is too easy

The problem is that no matter how flawless your password policies are, and no matter how vigilant your users are, passwords are notoriously easy to bypass.

The Verizon Data Breach Investigations Report finds that 49% of all data breaches by external actors involve stolen passwords.

And when an attacker uses an employee’s legitimate login and password? Guess what, your anti-virus, anti-intrusion, firewall, and other technologies are not going to flag anything unusual.

Those tools believe that the person accessing your network is exactly who they say they are: an authenticated user with authorized access!

How Windows login credentials are effortlessly compromised

Most credential misuse is caused (at least in part) by your end-users, whether that’s by careless errors, malicious actions or from being exploited by external attacks.

Your organization might have the most robust password policy in place and provide effective security awareness training but Windows credentials are still effortlessly compromised by the weakest security link of any organization: your own employees.

Don't blame your users for being human

People are, by their very nature, human and are therefore prone to making mistakes, especially when IT is often an afterthought. Careless behavior takes many forms, writing passwords down on a bit of paper, sharing passwords with colleagues, leaving workstations logged in when absent, and logging in from two separate devices and locations at once.

From our research with IT Managers, there seems to be an explosion of cuddly toys in the UK, as a quarter of administrators have seen employees hide a password behind one on their desk.

But it isn’t always an incompetent or ill-prepared member of staff who opens up a company’s data to hackers.

Malicious users are your insiders that have shifted their loyalty from the organization where they work to themselves, and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organization. Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.

The external attack is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data. External attacks leverage user accounts to gain control over endpoints, to move laterally within the network and, ultimately, to acquire targeted access to valuable data.

But rather than blaming your users and insisting on even tighter password policies, organizations need to start better protecting users’ access to the network, even when credentials are compromised.

Verify all network access

When the adversary has valid, authorized passwords, all access attempts need to be verified. The secret to doing this without impeding users is context-aware MFA with a solution such as UserLock.

It helps you to go far beyond Active Directory password policies with specific, granular and configurable logon access rules and monitoring.

Furthermore, it protects everyone within a company — not just the privileged users/administrators, because any account with access to data that is sensitive, privileged, protected, or otherwise valuable is at risk.

Administrators can set the rules as to what constitutes "normal" logon behavior, for example, logins from particular workstations, employee-owned devices, locations, time of day, simultaneous connections or a number of unique access points.

• If an attacker gets their hands on an Active Directory password, whether it’s a simple one like 123456, or a complex one including a mixture of uppercase, numbers and special characters, that attacker won’t be able to use it, if the login attempt falls outside of these rules. The system will automatically deny access before damage is done – not only when IT intervenes.

• Likewise it can automatically log out an already active session when a user initiates a new session or after a set period of inactivity. Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated, as well as narrowing the window of opportunity for attackers.

Choose to alert on suspicious access

There are also warning signs that someone uninvited has breached your network with compromised credentials. These behaviors should ring alarm bells that something’s not right.

For example:

• Impossible journeys: Simultaneous logins from locations too far apart to make any sense or sequential logins with different credentials being used from one machine.

• Sudden change in working/office hours: Login attempts from outside normal business hours.

• Password resets: A repetition of failed login attempts or password resets.

• Implausible remote access: Login attempts from an unlikely session type, location or device.

UserLock can alert the administrator to suspicious access events, offering the chance to instantly react by remotely locking, logging off or resetting the appropriate settings.

End-users themselves can also be notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.

Furthermore, with UserLock, access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.