IS Decisions logo

IS Decisions Blog

Security far beyond Active Directory password policy

Active Directory (AD) passwords are easy to compromise. UserLock goes beyond user credentials and password policies to make sure users really are who they say they are.

Published June 4, 2019
Security far beyond Active Directory password policy

A secure Windows network environment requires all domain users to use strong passwords. To help with this, a system administrator can implement password policies that encourage all users to create reliable and secure passwords. Three password policies — maximum password age, password length, and password complexity — are among the first policies encountered by administrators and users alike in an Active Directory domain.

But despite the ability to enforce more restrictive password requirements, any best practice for AD password policy alone isn't enough to prevent compromised credentials.

Credential misuse is key to avoid detection

The Verizon Data Breach Investigations Report finds that 49% of all data breaches by external actors involve stolen passwords.

And when an attacker uses an employee’s legitimate login and password, your anti-virus, anti-intrusion, firewall, and other technologies are not going to flag anything unusual. Those tools believe that the person accessing your network is exactly who they say they are: an authenticated user with authorized access!

How login credentials are effortlessly compromised

Most credential misuse is caused (at least in part) by your end-users, whether that’s by careless errors, malicious actions or from being exploited by external attacks.

Your organization might have the most robust password policy in place and provide effective security awareness training but passwords are still effortlessly compromised by the weakest security link of any organization: your own employees.

Common causes of compromised credentials

Phishing (user clicks on link and enters credentials)


Password sharing with colleagues


Key-logging malware


Social engineering (unknowing handing over to malicious party, other than phishing)


Duplication (i.e. reuse of corporate credentials on third-party sites for ease)


Hacked database including user credentials


Data from IS Decisions research with 500 IT Managers

But don’t blame your users for being human

People are, by their very nature, human and are therefore prone to making mistakes, especially when IT is often an afterthought. Careless behavior takes many forms, writing passwords down on a bit of paper, sharing passwords with colleagues, leaving workstations logged in when absent, and logging in from two separate devices and locations at once.

From our research with IT Managers, there seems to be an explosion of cuddly toys in the UK, as a quarter of administrators have seen employees hide a password behind one on their desk.

But it isn’t always an incompetent or ill-prepared member of staff who opens up a company’s data to hackers.

Malicious users are your insiders that have shifted their loyalty from the organization where they work to themselves, and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organization. Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.

The external attack is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data. External attacks leverage user accounts to gain control over endpoints, to move laterally within the network and, ultimately, to acquire targeted access to valuable data.

But rather than blaming your users and insisting on even tighter password policies, organizations need to start better protecting users’ access to the network, even when credentials are compromised.

Verify all network access

When the adversary has valid, authorized passwords, all access attempts need to be verified. The secret to doing this without impeding users is context-aware MFA with a solution such as UserLock.

It helps you to go far beyond Active Directory password policies with specific, granular and configurable logon access rules and monitoring.

Furthermore, it protects everyone within a company — not just the privileged users/administrators, because any account with access to data that is sensitive, privileged, protected, or otherwise valuable is at risk.

Administrators can set the rules as to what constitutes "normal" logon behavior, for example, logins from particular workstations, employee-owned devices, locations, time of day, simultaneous connections or a number of unique access points.

  • If an attacker gets their hands on an Active Directory password, whether it’s a simple one like 123456, or a complex one including a mixture of uppercase, numbers and special characters, that attacker won’t be able to use it, if the login attempt falls outside of these rules. The system will automatically deny access before damage is done – not only when IT intervenes.

  • Likewise it can automatically log out an already active session when a user initiates a new session or after a set period of inactivity. Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated, as well as narrowing the window of opportunity for attackers.

Concurrent sessions allowed

Choose to alert on suspicious access

There are also warning signs that someone uninvited has breached your network with compromised credentials. These behaviors should ring alarm bells that something’s not right.

For example:

  • Impossible journeys: Simultaneous logins from locations too far apart to make any sense or sequential logins with different credentials being used from one machine.

  • Sudden change in working/office hours: Login attempts from outside normal business hours.

  • Password resets: A repetition of failed login attempts or password resets.

  • Implausible remote access: Login attempts from an unlikely session type, location or device.

UserLock can alert the administrator to suspicious access events, offering the chance to instantly react by remotely locking, logging off or resetting the appropriate settings.

End-users themselves can also be notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.

Credential warning password may be compromised

Furthermore, with UserLock, access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.

Protect Active Directory passwords with UserLock

Knowing how prevalent misused credentials are in data breaches, organizations need to offer more security than just a strong Active Directory password policy. No technology can eliminate the chance of an attack, but UserLock will help you minimize the threat of compromised AD credentials.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial