Resolve Windows Password Security Issues (part 3)

In the first two articles,

Http://www.bkjia.com/Article/200905/37822.html

Http://www.bkjia.com/Article/200905/38103.html

We have discussed the Windows Password Policy and how it is controlled in the Active Directory environment, you should remember that the password Policy and related settings are in the Default Domain Policy by Default ). In addition, we also discussed the techniques that can be used to crack windows passwords and the limitations of each attack method. In this article, we will discuss how to make windows passwords more secure and how to solve all the problems that have occurred in the previous two articles. This article describes the possibility of default installation of Windows 2003/2008/Active Directory and other technologies that can improve the overall password security.

The first thing is very simple.

Password elements are actually very simple. They must be easy to remember. It is easy to enter and obtain a longer password. The typical password that users may use is:

Am3r1c @

This special password can indeed meet the password complexity requirements, but it is hard to remember and difficult to enter. As a result, the user may write the password down and paste it on the monitor or keyboard. In my opinion, the following passwords are more worthy of praise:

I am a Group Policy MVP. Or I went to Germany on my last vacation.

Note:

You can try to read the above three key phrases and then enter these three passwords on your computer. You will find that actually meaningful phrases are easier to enter and remember.

In this final article, we will discuss what a good password policy should be like and how to ensure the deployment of this password policy; how to ensure that the same password policy is deployed on all computers, and other technologies that ensure that the password is well deployed.

Make sure that the password policy is consistent across all domains and local user accounts.

The built-in Active Directory configuration ensures that all user accounts (including accounts stored in AD and local SAM on each computer and server) share the same password policy. However, this may be due to a change in the connection and configuration of GPO at the enterprise (OU) level, because OU has many computer accounts stored in it. In this case, the computer and server (not the domain controller) allow the user account of the local SAM to use different password policies, not the domain user account.

To ensure that the password policies of all user accounts are consistent, we can "Force modify" the GPO responsible for setting the password policies for domain user accounts. Similarly, by default, GPO is located in the Default Domain Policy. Right-click GPO and select the execution menu option. Figure 1 shows the configuration process diagram.

Figure 1: executing the Default Domain Policy ensures that all user accounts in the local SAM use the same password Policy

Use Microsoft technology to set multiple password policies for each domain

Microsoft has improved related technologies to implement multiple password policies in a single AD domain. Although this is nothing new, it is like a fresh air. This technology can only be applied to Windows Server2008 domains, and all domain controllers run Windows server2008. In addition, the domain must run at the functional level of Windows Server2008. This technology is called fine-grained password policy.

If your environment meets the above requirements, you can configure multiple password policies, which means you can have the following settings:

· IT users must use a 25-character password

· Human Resources Department users must use a password of 20 characters

· All users must use a 17-character password.

The disadvantage of this technology is that it is not configured in the group policy. On the contrary, you must create additional AD objects under the Password Settings Container, you can use ADSIEDIT. MSC to view and configure these new objects, as shown in figure 2.

Figure 2: ADSIEDIT. MSC can be used to create more fine-grained password policies in the Windows Server 2008 domain.

To create more objects, you must right-click the password configurator, select new, and select an object. The Wizard will guide you through all the options to be configured.

Apply the password policy to the next level

Microsoft has provided us with many years of password policy control, and now, through the windows server2008 fine-grained password policy, we can deploy more control. If you want to use windows Domain Password Policy settings to bring you full control over the Password, you need to use a tool similar to Password Policy, this tool can operate seamlessly in AD and insert group policies to help you fully control passwords.

With this tool, you can configure the following:

· Set any password limit combination: lower case, upper case, number, and special characters

· Deploy different password failure rules for each policy, which is usually called the password term

· Continuous characters are not allowed in the password

· Do not allow incremental passwords

· Automatically send email With Expired Password

· Additional password policy requirements; Regular Expressions; post words in word lists and numbers cannot be used as the last character.

Figure 3 shows the appearance of the Password Policy tool interface

Figure 3: Specops's Password Policy is a granular Password Policy tool designed for windows domains

Summary

Windows passwords are always under various attacks. Many tools can be used by attackers to launch attacks. Many attacks are simple and effective. Therefore, we must protect our own passwords and the passwords of users on the network you manage. The default configuration in Windows needs to be changed, especially the Password verified around LanManager. You need to tell your users not to put their passwords on paper and stick them in a conspicuous position, because it is easy for others to see, it also teaches users how to create good, solid, and complex long-term passwords. The use of tools to deploy multiple password policies in the same domain and enforce complex and strict passwords can help ensure a safer password.