Nowadays, companies are constantly improving their cybersecurity policies and tools. They build SIEM systems, strengthen network perimeters, study network packets on the fly, and monitor the security posture in real-time. IT security is getting fully automated, the issue of unpatched software is getting resolved. Meanwhile, security goes beyond code vulnerabilities and viruses. Password protection keeps posing a challenge ignored too often. This provides a good deal of options for hackers to explore.
Microsoft does a lot in this area to secure Windows and its corporate customers. But these efforts do not suffice. The corporation ignores NIST’s guidelines for password policies. Microsoft’s own guidelines presented in various documents contradict each other.
Using extras is important here – for example, integration of third-party solutions into the domain controller to meet the requirements of international standards.
Password security in the wild
It is no longer news that passwords are being replaced by more complex authentication methods: tokens, keys, biometrics. However, these things, as a rule, protect mostly the company’s critical assets.
Large infrastructures aside, average businesses protect their documents and archives with passwords only. Even Basic Auth for initial web server setup remains popular to this day.
Microsoft’s statement about FIDO2 and “2021 without passwords” is too loud, given the fact that the corporation often withdraws security updates and constantly patches its operating system. New technologies will continue to be refined and should pass a rigorous reality test.
As to personal use, multi-factor authentication is in place physically linking an individual to a phone number or network account already now, but this rather simplifies password change than provides in-depth protection. Username and password are still holding the front line.
To be honest, not all organizations and individuals keep pace with the times. Operating system usage statistics show that Windows 7 is still popular. Over 16 % of the users have it. This suggests that password protection is not yet obsolete. It rather gains extra reinforcing features. We still use it profoundly in our everyday life. An alternative that would have come to replace and wipe away this technology has not yet been invented.
Password guidelines and Microsoft GPO
Password security has long been a concern for businesses and their cybersecurity standards. Account passwords are often the weakest link in the overall security system for many organizations.
A large number of companies use Microsoft’s default password policy. Well, the out-of-the-box Windows setup is not bad. Let us now compare it against the safety recommendations of different security authorities and see if its password policy for business users is good enough.
What is a password policy? It is a set of required parameters that users should be guided by when choosing a password for their account. Let us take a look at the default password configuration in Windows Server 2019 with values used out-of-the-box.
- Password is valid for 42 days.
- Minimum password age is 1 day.
- History of previous passwords includes 24 entries.
- Minimum password length is 7 characters.
- Password complexity requirement is enabled.
- Storing passwords using reversible encryption is disabled.
In its turn, the US National Institute of Standards and Technology (NIST) released NIST Special Publication 800-63B, and Section 5.1.1 “Memorized Secrets” of this guidance, refers to 8 characters to be set as a minimum length. NIST also insists that before setting a password, the system administrator (or DevOps, as it should be done automatically) should compare the prospective passwords against a list that contains values known to be often used or compromised, for example:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (“BBBB”, “123abc”).
- Context-specific words, such as the username, the name of the service, and derivatives thereof.
As for PIN codes, NIST recommends including at least 6 characters. Many global providers that use 4-digit codes (for example, Microsoft for logging into Windows 10) may adopt this as a benchmark.
Another section of the NIST guidance concerning the mandatory password change at regular intervals says that verifiers do not need to periodically change the password, but they are obliged to force change it if there is evidence of its compromise.
Microsoft only passively recommends the NIST guidance. The Security Baseline for Windows 10 v1903 and Windows Server 2019 v1903 notes the following:
”Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.”
These Microsoft recommendations point to the imperfection of the Active Directory Group Policy. There is no built-in facility where you can enter dictionaries of inappropriate passwords. At the same time, the manual describes the process of developing and registering DLLs meaning that it is possible to add your own password filter. But it will have to be created or bought, which increases the cost of protection.
As to the password length, Microsoft considers seven-character passwords sufficiently long for Windows Server 2019. That does not match any of the standards below:
- SANS – 12 characters.
- NIST – 8 characters.
- Microsoft TechNet – 14 characters.
- Microsoft Research – 8 characters.
The Organization’s Password Protection Policy has become a universal document required by many regulators and auditing authorities. This document introduces a single standard that all staff members should learn and comply with.
Every pentester knows the cost of a weak password. Any pentest platform, similar to the network of a real organization, does not miss the opportunity to show that servers can be penetrated by obtaining a password using the brute-force attack. Information security specialists or system administrators should be aware of that and get prepared.
For Microsoft AD, you can use third-party software such as nFront Password Filter, Specops Password Auditor, Anixis, or ManageEngine. If you want, as mentioned above, you can replace passfilt.dll with commercial projects or create your own library. One of the options is to use the Pwned Passwords online service. You can also add mandatory preliminary verification of the password to the password policy.
Hardware and software setup is essential for cybersecurity. Do not hope that everything has already been set up for you. As a rule, many things used “by default” are unsafe. Do not blame it on Microsoft GPO setup only, though. Any combination of a login name with a complex password will be more reliable than a 4-digit PIN-code coming to the phone with the ability to enter it countless times, as it was with the Cisco ASA.
Twenty years ago, a simple password of 4 to 6 characters was enough. Today, at least 8 characters that include special symbols, letters, and numbers are considered the norm. The world is running faster, and we must respond faster.
Each security system must be configured to the point of being unprofitable to hack. This rule also applies to passwords.
Password protection has always been essential, and so it will be in the future. Its alleged passing away is out of the question right now. Guidelines provided by industry leaders and regulators call for establishing and observing password strength requirements.
While Microsoft software products prevail in enterprise information systems worldwide, the corporation bets heavily on FIDO and tries to move away from passwords in favor of other safeguards. Active Directory does not provide a full recommended set of protection, even for Windows Server 2019 with the most recent updates. Third-party services prove to be inevitable in fixing this issue.