AD password complexirty group policy

dougdog
dougdog used Ask the Experts™
on
Im running domain level 2012 R2
i would like to be able to specify the following for domain users passwords
stop users using passwords like Laptop 1 or company name 1
at least 2 uppercase etc
the group policy complexity does not cover these
how can i do this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Commented:
You will like to check out the fine grain password policy (FGPP) for the specific user and Security group to apply since 2012 already support it at GUI level compared to past using ADSI etc. See this
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-fine-grained-password-policies.html

Also I do recommend passphrases, see the EE article on choosing the strong passphrase. Also the mentioned level of complexity should be possible if e consider the stated in MS link
Passwords must contain characters from three of the following five categories:
◦ Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
◦ Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
◦ Base 10 digits (0 through 9)
◦ Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
◦ Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx

Overall, we need to managed going overboard for the complexity and set a baseline.
So you may wish to consider below combination
 Set the minimum length to16 or higher - Increases the work time for attacker to break it.
 Require a minimum of 1 number and special character - Increases difficulty.
 Require upper and lower case - Increases difficulty.
 Enforce password history. Make it 10 or 12. - Increases the repeats of poor user "reuse" habit.
 Enforce minimum password age. - Work around several days to deter users recycling password.
 Set account lockout after 3 failed attempts. - Have a baseline for lockout duration and reset time.
Distinguished Expert 2018

Commented:
The built-in policies cannot help here since their complexity checks are too loose.
They don't do similarity or dictionary checks, nor do they do keyboard pattern checks, so Even if you turn on complexity and require 10 characters, a password like "BugsBunny!" beats that :(
Consider buying http://anixis.com/products/ppe/ it can enforce better policies and is reasonably priced.
Distinguished Expert 2018

Commented:
Unfortunate fine grained password policies won't help here. The only way to get what you want here is 3rd-party software that checks the password pre-hash.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

btanExec Consultant
Distinguished Expert 2018

Commented:
Lookss like more work than what MS stated. I meant the depth required will be covered through the password filter DLL which is another nice way to implement custom requirements for passwords. There is this filter dll that is hooked for override with your needs..but looks like if you want to avoid development then the vendor supplied is the way forward..
https://msdn.microsoft.com/en-us/library/ms721878.aspx

Then to add on nfront is another good candidate, see how it compared to existing Dll of the Windows default.
http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php

Author

Commented:
we have used anixis before but need something that works alongside our password reset tool
Distinguished Expert 2017

Commented:
The password complexity can be set to a combination of three out of five one capital, one lower, one numeric, one symbol and the length of the password longer than X.
You would need to use a third party tools as mentioned to add validation/mask to password changing mechanism.

Making it clear to the users that weak passwords when compromised reflect on them as whose account was used and .........
Distinguished Expert 2018

Commented:
"need something that works alongside our password reset tool" - could you please explain what your password reset tool has to do with the password policies? Password reset tools should not be able to circumvent the policies that anixis enforces, or was it?
harold mcmullennetwork tech

Commented:
From GP "Computer Configuration", "Windows Settings", "Security", "Account Policies", "Password Policy"

Right Click on: "Password must meet complexity requirements"

This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:

English uppercase characters (A through Z)

English lowercase characters (a through z)
Base 10 digits (0 through 9)

Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.

Author

Commented:
when users reset their password they need to be reset using the company policy
so if i have anixis password enforcer which is setup to force users to use 4 uppercase etc and the user uses the password reset tool which is unable to work with the anixis enforcer it will not be able to enforce the 4 uppercase etc

Author

Commented:
McKnife is correct here buit in windows policy will not enforce this as it is too basic
Anixis will but will not work when user resets their password
Distinguished Expert 2018
Commented:
@dougdoug: users cannot reset their passwords. Reset=change without confirming the old pw. Only admins may do that. The anixis software (we run it) has an option to enforce itself even when admins reset.
btanExec Consultant
Distinguished Expert 2018

Commented:
You may want to check out nfrontsecurity as I shared in prev post. Here is a glimpse on another of its example http://nfrontsecurity.com/products/nfront-web-password-change/

Author

Commented:
im mean a self service password reset portal
btanExec Consultant
Distinguished Expert 2018

Commented:
Handle at code for the portal. The nfrontsecurity is a webform though
Distinguished Expert 2017

Commented:
Self service should mean as btan pointed out that you can enforce the password complexity requirement at the time of submission. validate on input in the portal when used,

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial