Granular Password Policies for different users in Same AD Domain
Articles,  Blog

Granular Password Policies for different users in Same AD Domain


well good afternoon to most of us on this webinar for those of you that are a little bit later good evening and for those little bit earlier good morning and no matter where you are i just want to extend a warm welcome and thank all of you for spending a little bit of time with us today with the active directory solutions team here advantage engine over the years I have spent a tremendous amount of time talking about password policies educating administrators and auditors on exactly how the microsoft password policy works and throughout those years I constantly get questions around having different password policies in the same domain and I am extremely excited about this particular webinar allowing you to have another solution and providing that level of access so this should be a very informative and very engaging webinar and hopefully it’s beneficial to you a little bit of more information about me my name is Derek member and i am the technical evangelist for the active directory solutions team managed engine and what that means is I get the opportunity to travel the world really helping organizations and administrators understand Active Directory better and then become more efficient and actually secure their environment more to try to reduce the attack surface from the attacks are going on we did have a 20-16 world tour you see some of the cities in some of the countries there that i have been to and it was a very engaging and and successful year for our seminars and with that we will be having a 20-17 world tour as well so please keep your eye out for us coming to a city near you i hope that you have the opportunity to come and introduce yourself to us and and just sit down and have a talk about active directory i do also want to point you to some resources that is my email address you also probably have an email address for the events team the Active Directory solutions events team and please email me email anyone here with any questions you have around Active Directory group policy security really anything around windows and we’d be more than happy to try to tackle that for you or try to find you a solution being an active directory MVP myself i’m able to contact some of my other colleagues in the active directory and group policy world and if I don’t know the answer certainly someone out there knows the answers we can get you answers i also want to point you to a couple of resources that we have available here we do some cleanup here if you go to manage engine com and you come over here to community you will see that we have some blogs and very first blog alphabetically is active directory and this blog is really dedicated to you the Active Directory administrator and what we try to do is we try to get you information that is hot hot topic or a topic of question for Active Directory administrators around the world so as I tour the world i take questions and I put them into a blog so you’ll see here that we have information about automation about cloud and information about security with group membership more automation and so we really try desperately to get you information in different formats and that blog is a hundred percent free for you to come and get the information another fantastic resources are security hardening site and to get to our security hardening site it’s a little bit confusing but if you come to our main landing page manage engine com and you click on active directory you’ll see a drop-down appear in the lower right hand corner of this drop-down is our security hardening site and the security hardening site is full of a mate is information that really allows you to know where to set up security and what you need to pay attention to with regard to your windows servers your domain controllers in active directory itself and each of these areas of security have little blogs and videos you can come in and you can see exactly what you need to do in those particular areas so we really have some excellent resources out there for you and again this particular website is absolutely free for you to come and consume information so those are some very good resources that you have available to you and we hope that you can come and partake in some of that information i can guarantee you without a doubt that security Harding site has information in one location that you I don’t know if you could find it throughout the internet but it’s in one location for you and its really myself and the entire team the last 10 years of our experience with security and active directory and that’s what that site is all about so please come and get the information but today we’re talking about passwords and with passwords what I want to do is I want to start at the beginning I want to work our way through there are still after 17 years of active directory still can confused administrators with regard to how the password policy works so what I want to do is I want to go in talk about the password policy break down the details and then work through how the password policy is deployed so that we all have a complete understanding and then I want to talk about some different password attack strategies and really what we need to have in place for those so let’s first of all talk about just the password policy details now instead of just showing slides jump into the operating system here and let’s look at it in real-time now what I’m going to do first and foremost is I’m going to come over here and I’m gonna go to the group policy management console and what I’m going to do is I’m going to open up the default domain policy which is where the default password policy is configured and here under my security settings account policies password policy you have this password policy now this password policy was initiated to be this configuration starting windows server 2003 sp1 and it was 2003 sp1 or Microsoft first initiated that a password was even required for Active Directory users so this is what Microsoft has in place and it’s been this way really for what 14 years now and hasn’t changed um and and these are the settings that we have to control the password for microsoft technologies now of course these are pretty obvious let’s walk through them password history is going to remember X number of passwords that you input and you can’t reuse them so the default is 24 so that means in essence you can’t use a password more you can’t reuse a password until after like two years ok the maximum password ages 42 days now I truly believe and I spent a lot of time thinking about this where the 42 comes from seems kind of arbitrary but really if you think about it a typical month is around for weeks for weeks is 28 days and then Microsoft by default gives users 14 days to reset their passwords so 28 plus 1442 I think basically microsoft is saying you can have your password for a month and then you have two weeks to changes so you have about a month-and-a-half where you can have a password and then of course this is by default in order for users not to be able to cycle through 24 unique passwords to get to the original one microsoft put in the minimum password agent set it to one day so that users can come in and cycle through those of the minimum password links 7 characters and has been seven characters forever you know there’s there’s many debates on whether it should be seven weather should be aight i think once I show you some of the hacking technologies a little bit later in the session it really doesn’t matter if it’s seven or eight or even ten the new technologies can break into those but really the seven or eight characters was all backward looking at land manager hashes and how the land manager hash was actually developed and because there’s 27 character portions some people thought they went into the second portion of the land manager hash that was more secure which is completely fictitious based on how the land manager hash is developed but anyway that kind of gives you a bit of background on that restoring the password reversible encryption i have never seen that enabled or seen the need to enable that it is disabled by default and then of course we have complexity requirements now complexity requirements has a full list of things that actually implements for example it has a minimum password length of six characters you can’t use your username you can’t use your logon name you have to use three of the four types of characters and if you want the actual details on this here is the list of everything that is associated with the password complexity the password complexity is not customizable so whatever you get in this particular list is what is there you can’t remove you can add it is what it is unless of course you go into some other technologies to try to increase that so this is what we have by default and for a newly installed Active Directory this is what is put in place for all domain users as well as all local users on computers where the computers join the domain ok so the way this works in terms of the default password policy in the default domain policy is that the default domain policy for your domain controllers is what is configuring your domain controllers Active Directory database so your domain users are in the Active Directory database and by default the default domain policy controls the password policy for those users as computers join the domain and it doesn’t matter where the computer is in the domain nou a container it doesn’t matter the password policy from the default domain policy also affects those local databases of users is called the Sam security accounts manager so when you install Active Directory out-of-the-box and you join computers to active directory every single user has the same password policy so by default the password policy is configured by the default password policy in the default domain policy okay but you need to understand how it works from there so let’s walk through some different scenarios let’s say that I have some executives right so let’s go into active directory here so here’s the backup directory users and computers i have some executives bill and Ron and I want these users to have a more complex and more stringent password policy now if i go back to group policy here and I go to the executives oh you and I create and Link it gpo here and I call it the exec password policy and then I go into the exact password policy and I modify the password policy here right and let’s say that I make the minimum password length 14 characters ok this setting will not affect these users so let me run through that again because I know it’s a little confusing but i have to jump into different to different windows i have users inside of a know you that oh you can have a gpo link to it and in that gpo I can have step at once configured but these settings in the GPO link to do you do not affect the users in do you now for some of you that are on this webinar this may be new information to you but this is how it works and it’s always worked this way ok now let me prove to you that these users will not receive the settings in a gpo linked to that oh you gpo settings can effect two types of objects right computers and users the password policy the edge you see here in the path is a computer-based policy not a user based policy so the settings in the GPO for your password policy can only affect computer accounts back here these are user accounts ok so by default out-of-the-box you can have one password policy per domain and you cannot configure the password policy in a gpo to affect domain users ok now that we have that out of the way let’s talk about what this gpo actually does this gpo link to this so you will configure the computers in the owe you so if i had a computer in the show you this gpo and these password policies we configure the local users in the local Sam on those computers in that oh you overriding the password policy that’s linked to the domain ok so I the default domain policy but if i have a gpo link to know you it has higher precedence than the domain policy for computers that are in the oh you remember the acronym for group policy application is l SD you local site domain organizational unit so the oug POS have higher precedence than the domain gpo’s so again you’re probably thinking we’ll wait a minute can’t I link a gpo here to affect my domain controllers because the domain controllers house active directory no you can’t it doesn’t work that way only gpo’s linked to the domain can configure the domain controllers password policy ok now if any of you have debate on that I strongly encourage you to test it I’ve tested this over and over again 17 years ago trust me and I tested all the time it’s not going to change this is the way it works okay now one of the things that i highly recommend everyone on this webinar do when you’re done with this webinar is to go verify what your current password policy is for domain users you cannot do that by going to a settings report here for the default domain policy and let me tell you why the password policy doesn’t have to be in the default domain policy so here’s the default domain policy this is a built in tool which i’m going to suggest you run a sec pld messy and you run it on a domain controller to verify what the actual password policy is you will notice that this is what’s in the default domain policy and this is what is actually in place for my domain users notice the mismatch so the correct way for you to verify what the current password policy is is to run second pole sec pol mmm see on one domain controller per domain ok you can also run that command on your servers in your desktops to make sure you know what the password policy is for the local users and no Sam’s on those computers so far what we’ve discussed is all the settings how the password policy applies and the fact that we cannot have more than one password policy in the domain using group policy ok so now that we’ve got past that let’s move on and let’s talk about fine-grain password policies fine-grain password policies were first introduced and windows server 2008 so if you have windows server 2008 domain controllers you can implement fine-grain password policies fine-grain password policies are not implemented with group policy fine-grain password policies are implemented using add edit or if you have server 2012 r2 domain controllers you can use the new administrative console which most people don’t have which is why I really don’t show it yet ok now under at sea edit if you go to the domain naming context which is really active directory and you come down here you can see an option for system and then password settings container this password settings container is your fine grain password policies and this is where you can create a new object and this becomes your fine during password policy this wizard is going to walk you through the same settings that you have here inside of a normal password policy it’s just going to be implemented in a totally different way so the way that you use fine-grain password policies is you set up a password setting container object ok once you have the object set up you then go into the properties of that object and you’re going to modify the security of that object now this is after its created and you must give the correct group access to that password setting container so i can have multiple password settings containers in the same domain and they are implemented through group membership not through OU’s through groups confusing yeah I know it’s kind of the problem of using this technology so now it becomes very complicated right because i have set Paul over here telling me what my password policy is then I have password settings container how do you know who has what particular setting well Microsoft does provide some PowerShell commands for this but i moving too sure oh you how clumsy they are so if i do get help on fine right you’ll notice that i have get ad fine-grain password policy a well I don’t know which one of these is i don’t know i don’t even know what the rest of the sets so it really gets a little confusing so i recommend that you get a tool if you have fine grain pass for policies you need to get a tool that allows you to see who has what policy in place now our tooling 80 managers one of those tools and i’m just gonna show you what it looks like so if i come in and do a report on users and i generate this I can go and I can add or remove a column for the PSO that’s applied this is the password settings object if there is no password setting object applied its getting the default password policy from Group Policy whichever gpo link to the domain that is configured it whatever sec paul tells if it’s a PSO applied then you have to go into that PSO that fine grain password policy to see what the settings are inside of that so it’s a little confusing with the way that Microsoft to set this up by default so using microsoft technologies we can obtain multiple password policies in some same domain but only implemented at the group level not based on euro you structure but what we need to consider is whether or not the settings that are actually inside of a Microsoft password policy is even enough right so if i go back to my a past were policy go back here these settings were developed back in the year 2000 well Microsoft has an updated anything for password attacks at all so we don’t have the right technology to help against password attacks heck it was only a couple years ago the microsoft even gave us more control over land manager so what we need to do is consider the new attacks that are here so the Pettitte password attack strategies have changed so we need is we need technologies to help meet them well what strategies are in place let me kind of give you a summary of that so I have a tool here called cane and Cain is a very powerful tool that allows for password cracking and you’ll notice that i have passions here and that if I have certain hashes i can go in and do dictionary attacks brute force attacks and I can even do rainbow table attacks so i have to be able to compete against these technologies but each of these technologies has a way to combat it let’s talk about each dictionary attacks how do we be dictionary attacks well if someone is using a dictionary to attack my passwords all we need to do as an organization is don’t allow users to use words that are new dictionary right seems easy enough and i’m not talking about the Webster’s dictionary i’m talking about an attack dictionary which you can download from the internet not just won multiple so if we can deny users from using dictionary words this attack goes away brute force attacks or brute force attacks are really based on the fact that you can use a multitude let me go down here and show you what this looks like a multitude of characters right here’s all the characters you can put the password lowercase uppercase number and special and I can use permutations of all these characters in the minimum maximum length to develop an attack so let’s say for example that I go and say alright I’m going to look at upper case lower case number from seven down tonight and when I start this attack you will see that it’s taking the combination of characters from the character space and its trying to basically develop the hash to see if i can know what the password is but the most important thing about a password and beating brute force attacks length so notice i have a complex password suite of characters and it’s going to take me 1400 years with the hardware i have to try to break into a 79 character password watch this if I move it to simply lower case alpha no complexity but I up this 20 characters it now is going to take 2 times 10 to the 15 years to break into it that’s a long time so you notice that the length is the most important aspect of your passwords so what I’m trying to get at here and getting multiple past words in the same domain is those users that need better protection need longer passwords versus the users that have access to less important information so IT executives developers HR finance all these people need to have longer passwords to help beat against these technologies now the NTT group earlier this year at RSA came out with a really good white paper if you email me you have my email address i’ll be more than happy to send you a link to the white paper because they actually went through and they analyze all the concepts around passwords breaking down what normal users use for passwords so that we can alter that to make our passwords stronger so the password detect technologies are out there and what we need to do is we need to combat against them ok so what we need is we need solutions that allow that allow our users and our organization to be protected against these things so if we take some of the password attack strategies and we put them in place then we’re going to have better passwords and if we can have multiple password policies in the same domain now we can have the correct users having stronger passwords than any other use so how do we do that we can’t use Microsoft Technology because they don’t own it so let me show you a technology that actually allows you to do this this is a brand new feature in Active Directory ad self-service plus now an 80 self-service plus we provide you more control now i’m going to jump in here 280 self-service plus and i’m going to first of all talk through how you set this up and what options are available ok now the way that 80 self-service plus words is you’re able to configure what are called policies will notice them here and policies are defined based on oops wrong button based on 0 your group ok so i can define based on one or more Oh use a policy ok so you’ll notice that i have a domain policy and I have a specific policy named RSA right once i have the policy configured we have this awesome new feature called password policy and Forrester and the enforcer allows you to have more control over passwords and you implement them through the policy which goes back to the oh you level so this is where we can match having password paulo sees for users in no use this is how we match that and because our policies can have more than 10 you right i can select more than 10 you i can actually have fewer password policies that if i try to use Microsoft Technology so it’s more efficient and it’s more secure as I said at the beginning that’s what I try to do is I try to make things more efficient more secure so you’ll notice that we have currently additional settings beyond with Microsoft provides so we have password link that can go above the seven we have password length that control special types of characters so you can read it yourself here on what we have plus we have the ability for you to input certain words right so this is going to deny the user from using any password that contains any of these particular words now our newest version which is coming out this month our newest version of this tool instead of you having to type in the patterns you’re going to be able to right-click and import a dictionary fantastic also we’re going to have other controls beyond this such as you’re not going to allow your users to use consecutive passwords password one password to password three so we’re giving you more control over the passwords at this level so the way the Tool Works is any setting that’s in here that is above that of the default domain policy the domain password policy or fine-grain password policies this is going to take ownership that’s why it’s called an enforcer we’re actually putting a layer on top of what Microsoft hats so you can have a base foundation through active directory or through fine grain password policies and then we come in and we add on top of it not only do we add on top of it for users and no use we also no matter who tries to reset or change the password even if they go into Active Directory users and computers to do it we are going to control that users enforcement so even though an admin comes in here and reset the password for a user it will go to 80 cell service plus to ensure that password hasn’t been enforced are made stronger so now you have a solution Katie cell service plus allows you to have multiple password policies in the same domain configured at the oh you level if you want to do it at the group level remember you can do that because back here we give you either or option so now you have a rock solid solution for multiple password policies in the same domain giving you the flexibility at do you for a group and you have some amazing new controls beyond what Microsoft has provided so that we can actually defend against today’s attacks on passwords not the attacks from 17 years ago so we’re giving you the solution with a t-cell service plus now with 80 self-service plus what’s awesome for you also is if you simply go to our main page right and you click on active directory and you go to identity management identity password management you can download a t-cell service plus for absolutely free you can use it for 30 days what I want you to do is I want you to see how easy it is to put this in place once you get it in place of course you’re going to put in a test environment but now you can see the power of controlling passwords in the same domain for different types of users so one that does that walks you through kind of the legacy but it’s really not legacy because it’s what’s in place today for Microsoft using Microsoft Technology trying to implement group policy for password policies you can only have one password policy per domain yes you can go to find grain password policies but it’s a totally different type of technology it’s very difficult to actually see who has what policy so with a t-cell service plus you know exactly who has what particular policy in place because it’s based on the policies in 80 self-service plus you also have more in-depth granular control of the passwords so that you can strengthen that password to actually defend against password attacks so this gives you a rundown of what you have now I strongly encourage you to go run set Paul and find out what you have in place today test out the different technologies of microsoft has and then test out our technology so that you can increase the password for those users that need I’ve given you the secret decoder on how to get our product and use it for free for 30 days if you need for a little bit of extra I’m sure that you can twist our arms and get it for you know if you want to do a proof of concept across multiple domains you know will give you 45 60 days because we want you to be successful and making sure you’re securing your environment so hopefully you’ve been able to get some information from our webinar if you have any questions around this or other topics that again is my email you have the email for events team for those of you that have been asking questions along the way I noticed there are quite a few questions we’ve actually had some other members of the 80 solutions team in the background helping with those and I want to thank them I want to thank you for asking and I want to thank them for helping me as I chitchat along answering your questions if we didn’t get to a question we will answer you an email for that if you have any questions after this please email us it’s one of our goals to make sure that we can get active directory administrators answers your questions answered as much as possible so please reach out to us I hope you really enjoyed the webinar we will be having webinars throughout the rest of this month and throughout december so please keep an eye out for our webinars and we to record these so for some reason you want to view it again or if you want someone else another colleague to to view it please send an email to us and be more than happy to handle that so I’m gonna let you get back to work and get your things done for the day and hopefully some of you are leaving for the day soon I hope to hear from you and for myself Derek over and the rest of the active directory solutions team we thank you for your time and until next time this is derek signing off and i hope to see you or talk to you soon thanks a lot

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *