dougdog
asked on
AD password complexirty group policy
Im running domain level 2012 R2
i would like to be able to specify the following for domain users passwords
stop users using passwords like Laptop 1 or company name 1
at least 2 uppercase etc
the group policy complexity does not cover these
how can i do this?
i would like to be able to specify the following for domain users passwords
stop users using passwords like Laptop 1 or company name 1
at least 2 uppercase etc
the group policy complexity does not cover these
how can i do this?
The built-in policies cannot help here since their complexity checks are too loose.
They don't do similarity or dictionary checks, nor do they do keyboard pattern checks, so Even if you turn on complexity and require 10 characters, a password like "BugsBunny!" beats that :(
Consider buying http://anixis.com/products/ppe/ it can enforce better policies and is reasonably priced.
They don't do similarity or dictionary checks, nor do they do keyboard pattern checks, so Even if you turn on complexity and require 10 characters, a password like "BugsBunny!" beats that :(
Consider buying http://anixis.com/products/ppe/ it can enforce better policies and is reasonably priced.
Unfortunate fine grained password policies won't help here. The only way to get what you want here is 3rd-party software that checks the password pre-hash.
Lookss like more work than what MS stated. I meant the depth required will be covered through the password filter DLL which is another nice way to implement custom requirements for passwords. There is this filter dll that is hooked for override with your needs..but looks like if you want to avoid development then the vendor supplied is the way forward..
https://msdn.microsoft.com/en-us/library/ms721878.aspx
Then to add on nfront is another good candidate, see how it compared to existing Dll of the Windows default.
http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php
https://msdn.microsoft.com/en-us/library/ms721878.aspx
Then to add on nfront is another good candidate, see how it compared to existing Dll of the Windows default.
http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php
ASKER
we have used anixis before but need something that works alongside our password reset tool
The password complexity can be set to a combination of three out of five one capital, one lower, one numeric, one symbol and the length of the password longer than X.
You would need to use a third party tools as mentioned to add validation/mask to password changing mechanism.
Making it clear to the users that weak passwords when compromised reflect on them as whose account was used and .........
You would need to use a third party tools as mentioned to add validation/mask to password changing mechanism.
Making it clear to the users that weak passwords when compromised reflect on them as whose account was used and .........
"need something that works alongside our password reset tool" - could you please explain what your password reset tool has to do with the password policies? Password reset tools should not be able to circumvent the policies that anixis enforces, or was it?
From GP "Computer Configuration", "Windows Settings", "Security", "Account Policies", "Password Policy"
Right Click on: "Password must meet complexity requirements"
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.
Right Click on: "Password must meet complexity requirements"
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.
ASKER
when users reset their password they need to be reset using the company policy
so if i have anixis password enforcer which is setup to force users to use 4 uppercase etc and the user uses the password reset tool which is unable to work with the anixis enforcer it will not be able to enforce the 4 uppercase etc
so if i have anixis password enforcer which is setup to force users to use 4 uppercase etc and the user uses the password reset tool which is unable to work with the anixis enforcer it will not be able to enforce the 4 uppercase etc
ASKER
McKnife is correct here buit in windows policy will not enforce this as it is too basic
Anixis will but will not work when user resets their password
Anixis will but will not work when user resets their password
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may want to check out nfrontsecurity as I shared in prev post. Here is a glimpse on another of its example http://nfrontsecurity.com/products/nfront-web-password-change/
ASKER
im mean a self service password reset portal
Handle at code for the portal. The nfrontsecurity is a webform though
Self service should mean as btan pointed out that you can enforce the password complexity requirement at the time of submission. validate on input in the portal when used,
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-fine-grained-password-policies.html
Also I do recommend passphrases, see the EE article on choosing the strong passphrase. Also the mentioned level of complexity should be possible if e consider the stated in MS link https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
Overall, we need to managed going overboard for the complexity and set a baseline.
So you may wish to consider below combination
Set the minimum length to16 or higher - Increases the work time for attacker to break it.
Require a minimum of 1 number and special character - Increases difficulty.
Require upper and lower case - Increases difficulty.
Enforce password history. Make it 10 or 12. - Increases the repeats of poor user "reuse" habit.
Enforce minimum password age. - Work around several days to deter users recycling password.
Set account lockout after 3 failed attempts. - Have a baseline for lockout duration and reset time.