Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


AD password policy

Posted on 2013-10-30
Medium Priority
Last Modified: 2013-11-07
Are there any recommended best practices when it comes to domain password policies? Have MS recommended any specific levels for low, medium, high securityu domains? One of our partners have currently set it at 7 characters lenght minimum, 90 day maximum age, and no complexity requirement, which to me seems on the weak side. I wondered if theres any guidance in this area?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

JeanPoL earned 336 total points
ID: 39611104
Hi there ,

As a IT guys of bank and my experiences (IT Audits, penetrations test and many others) I would suggest to go like this :

- Minimum 8 char.
- Strong Password
- 42 Days maximum age
- 0 days minimum
- Enforce password history : 5 passwords remembered

* with this setup , you can get ok from all it security standards

Author Comment

ID: 39611107
Does strong password = enforce complexity?

Expert Comment

ID: 39611121
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 56

Accepted Solution

McKnife earned 336 total points
ID: 39611569

> you can get ok from all it security standards
Sorry JeanPol, but what should that mean? The windows complexity requirements are not really strict, so I wonder which sec. standards you would fulfill.

I strongly recommend using a 3rd party tool that does not only have better complexity enforcement, but, much more important, does also dictionary checks.
I recommend Anixis password policy enforcer.

With windows' own complexity requirements, a password like
JeanPol1 would be called complex. Also McKnife1 would be complex and 1DogBarks would be called complex although they not really are.
LVL 24

Assisted Solution

Sandeshdubey earned 332 total points
ID: 39612165
Enforcing Strong Password Usage Throughout Your Organization
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 332 total points
ID: 39615690
Anything below 10 characters is too low, complexity or not:
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours (all possible 8 character passwords)
Also, changing passwords often is not as needed as it once was, unless your password length is lower, or the password is more sensitive https://www.schneier.com/blog/archives/2010/11/changing_passwo.html
Document fom a M$ researcher says the same

I do pentests, passwords are the second weakest link in every domain I've been on. Length and not using dictionary words are what keep passwords from being cracked. Complexity doesn't help as much as you think it does, in fact if you have 4 items required in a 8 character password, you're hurting your security. Uppercase, Lowercase number and a special character, you've reduced the possible passwords by half.

If you increase that to 9 and use the four possible classes, it's 10% better. You should only require letters, numbers and specials, and you should put the minimum length at 10 or more. If you can get a 3rd party to vet the passwords for easy dictionary words, you should. And you should use the "rockyou.txt" file as the basis for what the users shouldn't be allowed to use :)

Assisted Solution

Biniek earned 332 total points
ID: 39618774
Hi ,

Microsoft had published security recommendation in SCM (Security Compliance Manager)

You can download and install it, in this tool You can find all recommended security settings (of course password settings also) by Microsoft in templates, You can export as GPO backup and implement it in Your organization.

In this tool you can find recommendation, for all servers system, windows workstations, Office's , SQL, Exchange etc.

In this tool you can find also Security guides for Microsoft products and systems, all information about vulnerability, and how to mitigate it.  

I will recommend to use it.

Assisted Solution

daniel0 earned 332 total points
ID: 39629934
Many Articles are been stragised for this and moreover many of the applications are been finalised for the same.

The process of rolling out a much needed, updated password policy. “Password Policies can be debated for hours” describes exactly what we are going through with our new roll-out.

Have a look at this documentation

Different passwords for each program/loginAll passwords need to meet complexity requirements:

Minimum 8 characters

3 out of 4 of the following required – Upper or Lower case, Numeric, Symbols

Not a word found in a dictionary, language, slang, etc

Not based on personal info

Not written down or stored locally

Forced changed at least quarterly

Can not reuse last 10 passwords

All of this is forced where possible. We have a few programs that don’t enforce history or complexity. For those, we randomly audit.

No biometrics yet, I haven’t seen it to be reliable enough in the laptops I’ve tried.

It’s amazing to me how many users don’t understand why they need a secure password, let alone are forced to change it.

An application also for the same to know much more better.

Please click on the given link for the same.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39630025
Nothing wrong with a written password, I have them, just keep them safe on your person like in a wallet. A written, complex password you don't have to change, as long as you trust it's security. A weak password, one found in the dictionary or easily found using substitution you do have to change, this is the case for most users. That's why 90 days was established, it's how long brute force of password used to take on windows to find every possible combination for an 8 character password. That's less than 6 hours now, increase to 9 and it's around 20 days, increase to 10 and it's about 1 year. Remember that's bruteforce, there are much faster ways to find passwords typically.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question