How To Set Up An Effective Domain_9 Profile

With cyberattacks exploding effectually the world, it'southward more than of import than ever for organizations to accept a robust password policy. Hackers often gain access to corporate networks through legitimate user or admin credentials, leading to security incidents and compliance failures. In this commodity, we will explore how to create and maintain a strong and constructive Active Directory password policy.

How Attackers Compromise Corporate Passwords

Hackers use a diversity of techniques to compromise corporate passwords, including the post-obit:

Animate being force assault — Hackers run programs that enter various potential countersign combinations until they striking upon the right 1.
Dictionary assail — This is a specific form of animate being force attack that involves trying words constitute in the dictionary as possible passwords.
Countersign spraying attack — Hackers enter a known username or other business relationship identifier and attempt multiple common passwords to run across if they work.
Credential stuffing set on — Hackers use automated tools to enter lists of credentials confronting various company login portals.
Spidering — Malicious users collect every bit much information as possible about a hacking target, and then try out password combinations created using that data.

How to View and Edit Agile Directory Countersign Policy

To defend against these attacks, organizations demand a strong Active Directory password policy. Password policies define different rules for countersign creation, such as minimum length, details virtually the complexity (similar whether a special character is required), and the length of time the password lasts before information technology must exist changed.

Default Domain Policy is a Group Policy object (GPO) that contains settings that affect all objects in the domain. To view and configure a domain password policy, admins tin can utilize the Group Policy Management Console (GPMC). Aggrandize the Domains folder and choose the domain whose policy you want to access, and then choose Group Policy Objects. Right-click the Default Domain Policy binder and select Edit. Navigate to Figurer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.

Alternatively, you can access your domain password policy by executing the post-obit PowerShell command:

Get-ADDefaultDomainPasswordPolicy

Remember, whatever changes yous make to the default domain password policy employ to every account inside that domain. Yous tin create and manage fine-grained password policies using the Agile Directory Management Eye (ADAC) in Windows Server.

Agreement AD Countersign Policy Settings

Hither are the half dozen password policy settings and their default values:

Enforce countersign history — Default is 24. This setting specifies the number of unique passwords users must create before reusing an old countersign. Keeping the default value is recommended to reduce the hazard of users having passwords that take been compromised.
Maximum password historic period — Default is 42. This setting establishes how long a password can exist before the system forces the user to change it. Users typically go a pop-up warning when they reach the end of their password expiration period. You can check this setting through PowerShell by executing the command net user USERNAME/domain. Keep in mind that forcing frequent password changes can lead to users writing their passwords down or adopting practices like appending the month to a stem give-and-take they reuse, which actually increase security risks. Setting "Maximum password historic period" to 0 ways that passwords never expire (which is generally not recommended).
Minimum password historic period — Default is i day. This setting specifies how long a password must exist before the user is permitted to modify it. Setting a minimum historic period keeps users from resetting their password repeatedly to circumvent the "Enforce password history" setting and reuse a favorite password immediately.
Minimum countersign length — Default is 7. This setting establishes the fewest number of characters a password can have. While shorter passwords are easier for hackers to crack, requiring actually long passwords can pb to lockouts from mistyping and to security risks from users writing down their passwords.
Complexity requirements — Default is Enabled. This setting details the types of characters a user must include in a countersign string. Best practices recommend enabling this setting with a minimum password length of at least 8; this makes it harder for animate being forcefulness attacks to succeed. Complication requirements typically require the password to include a mix of:

- Upper or lowercase letters (A through Z and a through z)
- Numeric characters (0–nine)
- Non-alphanumeric characters similar $, # or %
- No more than two symbols from the user'due south business relationship proper noun or brandish name

Shop passwords using reversible encryption — Default is Disabled. This setting offers back up for apps that crave users to enter a password for authentication. Admins should keep this setting disabled because enabling it would allow attackers familiar with how breaking this encryption to log into the network one time they compromise the account. Every bit an exception, you lot can enable this setting when using Internet Authentication Services (IAS) or the Challenge Handshake Authentication Protocol (CHAP).

Fine-Grained Policy and How It's Configured

Older versions of AD allowed the cosmos of just one password policy for each domain. The introduction of fine-grained password policies (FGPP) in afterward versions of Advert has fabricated it possible for admins to create multiple password policies to better meet concern needs. For instance, you might want to crave admin accounts to utilize more complex passwords than regular user accounts. Information technology's important that y'all define your organizational construction thoughtfully so it maps to your desired password policies.

While you ascertain the default domain password policy inside a GPO, FGPPs are set in password settings objects (PSOs). To set them upward, open the ADAC, click on your domain, navigate to the System binder, then click on the Password Settings Container.

NIST SP 800-63 Password Guidelines

The National Institute of Standards (NIST) is a federal agency charged with issuing controls and requirements around managing digital identities. Special Publication 800-63B covers standards for passwords. Revision 3 of SP 800-63B, issued in 2022 and updated in 2022, is the electric current standard.

These guidelines provide organizations with a foundation for building a robust password security infrastructure. NIST recommendations include the post-obit:

Require user-generated passwords to be at least eight characters long (6 for machine-generated ones).
Allow users to create passwords up to 64 characters long.
Permit users to utilize any ASCII/Unicode characters in their passwords.
Disallow passwords with sequential or repeated characters.
Do not require frequent password changes. Although for years, many organizations have required users to change their passwords ofttimes, this policy oft leads to users making incremental changes to a base countersign, writing their passwords down, or experiencing lockouts because they forget their new passwords. Accordingly, the latest NIST 800-63B standards call for using password expiration policies carefully. More recent research suggests that better alternatives include using banned password lists, using longer passphrases and enforcing multi-factor authentication for additional security.

AD Password Policy Best Practices

More broadly, administrators should make sure to:

Set a minimum password length of 8 characters.
Establish countersign complexity requirements.
Enforce a password history policy that looks back at the last 10 passwords of a user.
Make the minimum password age 3 days.
Reset local admin passwords every 180 days (consider using the complimentary Netwrix Bulk Password Reset tool for that).
Reset device account passwords during maintenance in one case per year.
Crave passwords for domain admin accounts to be at least 15 characters long.
Gear up up electronic mail notifications to allow users know passwords are set up to elapse (the free Netwrix Password Expiration Notifier tool tin help).
Consider creating granular password policies to link upward with specific organizational units instead of editing the Default Domain Policy settings.
Use banned password lists.
Use password management tools to store multiple passwords.

For more information, read our password policy best practices for strong security in AD.

User teaching is merely as crucial equally any countersign policy. Educate your users on the following rules of behavior:

Don't write downwardly passwords. Instead, pick potent passwords or passphrases you can think easily, and use password management tools.
Don't type your password when anyone is watching.
Understand that HTTPS:// addresses are more secure than HTTP:// URLs.
Don't use the aforementioned password for multiple websites that provide access to sensitive information.

FAQ

How do I find and edit my Active Directory password policy?

You can find your current AD password policy for a specific domain either by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Business relationship Policies -> Password Policy via the management console, or past using the PowerShell command Get-ADDefaultDomainPasswordPolicy.

Are passwords encrypted in Agile Directory?

Yes. Passwords created by a user get through a hashing algorithm that encrypts them.

What is Active Directory password complexity?

Complexity requirements control the characters that cannot or cannot be included in a password. For example, users might be prevented from using their username as their countersign, or required to include at least ane number and one lowercase alphabetic character in the password.

What is Windows Server countersign policy?

Windows Server countersign policy controls passwords for accessing Windows servers.

How do I find, edit or disable a password policy in Windows Server?

Locate the GPO through the Grouping Policy Management Console and click Edit.

What is a good password policy?

Best practices include the following:

Brand users create at least10 new passwords before reusing an erstwhile one.
Apply a maximum password historic period of 42 days.
Apply a minimum password age of iii days.
Brand users create passwords that are at least 8 characters long.
Enable the "Complexity requirements" choice.
Disable reversible encryption.

Jeff is a one-time Director of Global Solutions Engineering science at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that tin can dramatically improve your system administration feel.