AD password policy

Posted on 2013-10-30
Last Modified: 2013-11-07
Are there any recommended best practices when it comes to domain password policies? Have MS recommended any specific levels for low, medium, high securityu domains? One of our partners have currently set it at 7 characters lenght minimum, 90 day maximum age, and no complexity requirement, which to me seems on the weak side. I wondered if theres any guidance in this area?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

JeanPoL earned 84 total points
ID: 39611104
Hi there ,

As a IT guys of bank and my experiences (IT Audits, penetrations test and many others) I would suggest to go like this :

- Minimum 8 char.
- Strong Password
- 42 Days maximum age
- 0 days minimum
- Enforce password history : 5 passwords remembered

* with this setup , you can get ok from all it security standards

Author Comment

ID: 39611107
Does strong password = enforce complexity?

Expert Comment

ID: 39611121
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

LVL 54

Accepted Solution

McKnife earned 84 total points
ID: 39611569

> you can get ok from all it security standards
Sorry JeanPol, but what should that mean? The windows complexity requirements are not really strict, so I wonder which sec. standards you would fulfill.

I strongly recommend using a 3rd party tool that does not only have better complexity enforcement, but, much more important, does also dictionary checks.
I recommend Anixis password policy enforcer.

With windows' own complexity requirements, a password like
JeanPol1 would be called complex. Also McKnife1 would be complex and 1DogBarks would be called complex although they not really are.
LVL 24

Assisted Solution

Sandeshdubey earned 83 total points
ID: 39612165
Enforcing Strong Password Usage Throughout Your Organization
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 83 total points
ID: 39615690
Anything below 10 characters is too low, complexity or not: (all possible 8 character passwords)
Also, changing passwords often is not as needed as it once was, unless your password length is lower, or the password is more sensitive
Document fom a M$ researcher says the same

I do pentests, passwords are the second weakest link in every domain I've been on. Length and not using dictionary words are what keep passwords from being cracked. Complexity doesn't help as much as you think it does, in fact if you have 4 items required in a 8 character password, you're hurting your security. Uppercase, Lowercase number and a special character, you've reduced the possible passwords by half.

If you increase that to 9 and use the four possible classes, it's 10% better. You should only require letters, numbers and specials, and you should put the minimum length at 10 or more. If you can get a 3rd party to vet the passwords for easy dictionary words, you should. And you should use the "rockyou.txt" file as the basis for what the users shouldn't be allowed to use :)

Assisted Solution

Biniek earned 83 total points
ID: 39618774
Hi ,

Microsoft had published security recommendation in SCM (Security Compliance Manager)

You can download and install it, in this tool You can find all recommended security settings (of course password settings also) by Microsoft in templates, You can export as GPO backup and implement it in Your organization.

In this tool you can find recommendation, for all servers system, windows workstations, Office's , SQL, Exchange etc.

In this tool you can find also Security guides for Microsoft products and systems, all information about vulnerability, and how to mitigate it.  

I will recommend to use it.

Assisted Solution

daniel0 earned 83 total points
ID: 39629934
Many Articles are been stragised for this and moreover many of the applications are been finalised for the same.

The process of rolling out a much needed, updated password policy. “Password Policies can be debated for hours” describes exactly what we are going through with our new roll-out.

Have a look at this documentation

Different passwords for each program/loginAll passwords need to meet complexity requirements:

Minimum 8 characters

3 out of 4 of the following required – Upper or Lower case, Numeric, Symbols

Not a word found in a dictionary, language, slang, etc

Not based on personal info

Not written down or stored locally

Forced changed at least quarterly

Can not reuse last 10 passwords

All of this is forced where possible. We have a few programs that don’t enforce history or complexity. For those, we randomly audit.

No biometrics yet, I haven’t seen it to be reliable enough in the laptops I’ve tried.

It’s amazing to me how many users don’t understand why they need a secure password, let alone are forced to change it.

An application also for the same to know much more better.

Please click on the given link for the same.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39630025
Nothing wrong with a written password, I have them, just keep them safe on your person like in a wallet. A written, complex password you don't have to change, as long as you trust it's security. A weak password, one found in the dictionary or easily found using substitution you do have to change, this is the case for most users. That's why 90 days was established, it's how long brute force of password used to take on windows to find every possible combination for an 8 character password. That's less than 6 hours now, increase to 9 and it's around 20 days, increase to 10 and it's about 1 year. Remember that's bruteforce, there are much faster ways to find passwords typically.

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question