Solved

Windows 2008 R2 complex password requirements - changing

Posted on 2014-12-02
16
164 Views
Last Modified: 2014-12-11
Upper management at our company is not happy with the passwords that users are coming up with/using. It is not secure enough even with password complexity enabled.

The password complexity settings in MS, is a hit or miss when getting users to create a secure password

Contain characters from three of the following four categories:

    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)
    Complexity requirements are enforced when passwords are changed or created.

We have users doing enough to meet the first 3 requirement 90% of the time. We like to force the first 4 requirement but by default there is no way to do that. So we wondering if there Is any way to do this at all? Via Schema, via 3 party app, and etc?
0
Comment
Question by:iamuser
  • 6
  • 4
  • 3
  • +1
16 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40476436
There's no built-in way, yet.
Look at anixis' Password policy enforcer: http://anixis.com/products/ppe/
It can do all that and more. it is easy to administer and reasonably priced in my opinion.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40476704
In my experience this kind of password complexity leads to users writing passwords on sticky notes and attaching them to the monitor. Maybe you should use  a second authentication method such as a smart-card, biometrics, etc. An increased security cost a lot more.

Best regards
0
 

Author Comment

by:iamuser
ID: 40476714
It's not my call. Upper management wants this for all users. We have explained it many times over that users are not prone to remember their passwords and that it'll be on post it notes.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40476864
You can use a third-party solution or you can create your own password filter.
Here is sample code http://www.devx.com/security/Article/21522/0/page/4

Best regards
0
 

Author Comment

by:iamuser
ID: 40476875
In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter

Right now we are using Fine grain password policy. We don't want 1 password policy for everyone. Can this work with Fine grain password policy?
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 250 total points
ID: 40476937
If you have control over your passwords via a password filter i guess you don't need Fine grain policy anymore because you will and need to enforce your password policy in your filter.

A word of caution, security code is hard to implement and to implement well, so for me this is a last resort.

Best regards
0
 

Author Comment

by:iamuser
ID: 40476952
The issue is we don't want this to apply to any accounts that we use for services. If we use this then all accounts will be affected including our services account.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 40476960
iamuser, if I were you, I would be extremely careful with self made solutions. The link http://www.devx.com/security/Article/21522 says it's for winNT/2000/xp, while in the article, server 2003 is mentioned. I was in the same position as you once and tried to implement such a dll, made by Stanford university. I tried to implement it on server 2008. result: no passwords at all were accepted anymore, no matter how complex. After uninstalling the DLL, the problem persisted, the domain (a virtual test lab) was broken, no password changes possible any more!

So you have been warned :)
The anixis PPE empowers you to use as many policies as you like.

but to answer your question: no, I don't think it would be compatible with fine grained password policies as those use the complexity settings of the domain, so it would be one for all.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:iamuser
ID: 40476969
AH, okay, the ANIXIS PPE will allow me to have difference policies for different groups of users.
0
 
LVL 10

Assisted Solution

by:Walter Padrón
Walter Padrón earned 250 total points
ID: 40477032
As i said before a self security solution can be more insecure than a not-so complex password and @McKnife warned you of this too.  With a third-party solution you have another kind of problem yo have TO TRUST the third-party for password management and under some IT policies this is not allowed. There is no one solution that fits all.

Best regards
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 40478247
Have a look at my articles here: http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html and here:http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
The TLDR; version= Microsoft passwords, if audited in an offline manner, are fast and easy to crack when they are less than 10 characters long. While using Digits, Specials and Upper/Lower does add entropy technically, it often ends up just as substituion where e=3 and o=0 etc... That doesn't add entropy against a modern password audit. Length is what it will boil down to creating a harder password to crack, but not necessarily for a user to remember. I audit passwords and everywhere I go, unless your length is 10 or more, I'll get them, and quickly. I'm not using rainbow-tables, I can exhaust the 8 character space in less than 24 hours (ty to intel's Xeon Phi).
I advise clients to use 15, as this assures the users aren't going to use one word, especially if you train them BEFORE the change that they should do something like in my first link. After that, auditing the passwords is much harder. That is not to say that a user has a "very strong" password, it could be rubbish... Rubbish12121212 that's 15 characters, but that is not a password I can foresee my rules perhaps missing that. Anything 8-9 in length, even unprintable characters (alt+255) I'll get in a reasonable amount of time, 48hrs is what I give each audit.
-rich
0
 

Author Comment

by:iamuser
ID: 40478984
I'm stuck between a rock and a hard place. I'll bring it up at my meeting with management and see where they want to go. They seem to believe that they know more. God....I hate paper pushers
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40479004
Having a short password (length=8) and requiring all 4 classes (upper, lower, digit, and special) will HURT the password's entropy! If more than 8 it's not as bad, but still has some degradation. Increasing the minimum length helps in all cases.

From my article: If you require all four possible generic polices, at least one digit,  one upper, one lower and one special, and the minimum length is eight, you've reduced the guessing by over half. Instead of 6,704,780,954,517,120 possible it's reduced to 3,025,989,069,143,040 , which is a 55% reduction when the password is only 8 characters long. The attacker will get your passwords that are 8 characters in half the time, if all things were equal.
http://openwall.info/wiki/john/policy [Effect of password policies on keyspace reduction]
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40479518
Ok, these details are on password security. There are different approaches to create a safe password and there are different approaches to enforce safe passwords. At the same time one has to know how attacks could be carried out, because without holding something to attack, it's all irrelevant if strong or weak.

In a discussion I had with pentesters that are certified by the german government, they said they would use the following strategy: Length 15 or more (they themselves used 20) and construct a password this way:
Take three words that stand in no logical connection (screw, horse, picture), damage them a little (or use local dialect) and put some special characters and/or numbers in between, result:
skroo#Hooss%picksha9
This is long (20), easy to remember and fast to type. That is their recommended strategy. I started to argue: what if the attacker knows that this is the recommended company pw policy? What if, after all, people are not so creative and mostly just select all-too-common words like mother/house/tele/book/dog/lamp/xbox/iPhone/...? Wouldn't it be possible to construct a very sophisticated dictionary attack? I think it would. And since we cannot prevent dictionary words with windows' own means, many will end up like
Moon2dogs,howling!!!
So I really recommend to use a software that does dictionary and similarity checks. Because once a shoulder-surfer-type attacker sees "Moon2dogs,howling!!!" typed once or twice, he has it. And maybe from then on, that user will go on like this and his next password would be
Moon3dogs,howling!!!
... :|
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40479911
All good points, and this is possible, have a look at hashcat's combinator attack: https://hashcat.net/wiki/doku.php?id=combinator_attack
https://hashcat.net/events/p14/I%20have%20the%20%23cat%20i%20make%20the%20rules_YC.pdf
Straight-up dictionary words are not helping, but the length of all of them is, and leet'ing them doesn't add much either (e=3 and so on).. but like I lay out in my articles, using words that are broken or out of place makes this harder: kant-dew-that-2-mi
But based on length alone, Moon2dogs,howling!!! is actually an excellent password. Having a big list of words, doesn't give them context, so moon, dogs and howling would have to simply "come up" in the attempt, and would not necessarily be quick to find, there are no weighting that I'm aware of to words that may occur close to one another. A computer doesn't know that moon, dogs and howling are associated with one another. There will be soon, but as of now, I don't know of such work being done by the hacking community.
-rich
0
 

Author Closing Comment

by:iamuser
ID: 40493982
awesomee guys
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now