Cybercriminals often gain access to corporate networks by hijacking legitimate users or admin login credentials, which can lead to a data breach including both business-critical and personally identifiable data. As a result, this can cause significant disruptions to everyday business operations and seriously impact the bottom line. With cyber threats increasing exponentially worldwide, it is imperative for organisations to enforce even stronger internal password policies. Implementing and maintaining a strong Active Directory (AD) password policy is an organisation’s first line of defence. To ensure the success of these cybersecurity measures organisations must invest in the time and education needed to execute these policies effectively.
How cybercriminals can compromise credentials
Today, hackers predominantly use five main techniques to compromise corporate passwords. Password spraying attacks can occur when an attacker leverages a verified username, or other account identifier, and attempts to pair it with a variety of commonly used passwords in order to find the correct one. Meanwhile, credential stuffing involves the use of an automated tool to rotate lists of verified user credentials to gain access into a company’s various login portals and subsequent internal systems.
Brute force attacks occur when a cybercriminal launches a programme to trial a variety of possible username and password combinations until a match is successful. As a modification of a brute force attack, dictionary attacks involve cyber criminals taking common words from the dictionary to piece together probable existing passwords. Lastly, there is the spidering technique, which is when bad actors gather as much internal information about their target as possible to then trial username and password combinations used from the data gathered until they find a successful match.
Creating a strong AD password policy
Strong AD password policies can be used to establish and enforce a wide range of different password requirements. This includes the ability to control numerous password requirements such as the length of time a password can be used, the number of characters to include, and the level of complexity a new password must adhere to. There are a variety of different security frameworks that provide essential recommendations for password policies in general. These guidelines are useful for AD password policy as well.
The default domain password policy is located within the following Group Policy object (GPO): Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Password Policy. With the Windows Server domain functional level, system administrators can specify unique fine-grained policies for different organisational infrastructures. This can be done with either PowerShell or the Active Directory Administrative Centre (DSAC).
When establishing an AD policy, the system administrator should ensure that the minimum password length for general users is set to at least eight characters and determine a level of complexity. To reduce the risk of being compromised, domain admin passwords should require 15 characters minimum. Passphrases are a great way to easily come up with longer and more complex passwords which are especially difficult to crack, yet are also easy for the user to memorise. For example, it could be ‘TheSunRisesInTheEast!’.
Another useful practice worth implementing is to check every new password against a database of known breached passwords. A password history policy should also be in place and able to review the last ten passwords of each user to prevent passwords from being recycled overtime – as well as storing a list of banned passwords.
In general, passwords should be reset at least once a year or during annual system maintenance, and local administrator passwords should be reset every 180 days. Because it can be difficult to keep track of when it is time to reset a password, system administrators should enable email notifications to alert users of when their passwords are about to expire. Since it is easy to forget newly made passwords, organisations should consider offering all users secure password management tools to best manage their various personal and corporate passwords.
Configure a fine-grained password policy
To better meet the needs of the business, system administrators must first define the organisational structure thoughtfully to create the best-suited password policies. Fine-grained password policies (FGPP) enable multiple account lockouts and password policies throughout a digital environment. The older versions of AD policies only allowed just one password policy to be created for each domain. However, the later versions of AD policies, along with the first introduction of FGPPs, allowed multiple password policies to be created as well. For example, a system administrator may wish their admin accounts to require more complex passwords compared to a generic user account.
What’s more, user education is just as crucial as any password policy when it comes to enterprise security. Ongoing security awareness training is a must. At a basic level, users must be educated around the importance of not writing down passwords, but instead selecting strong passwords or passphrases, and not using the same password for multiple accounts.
The rapidly evolving threat landscape and hackers continued focus on credential theft techniques is only set to continue. In order to mitigate these risks, organisations must focus efforts on implementing advanced password and credential policies in order to minimise the risks posed by these attack methods. Only through the proper enforcement of well thought out AD and FG password policies can this first line of protection be truly successful.
