How to Setup / Configure Domain Password Policy in Active Directory
How to Setup / Configure Domain Password Policy in Active Directory (Best Practice). To ensure high level of security for user accounts in Active Directory the admin must create a strong password policy by configuring Domain password policy, which is critical to ensure compliance in your organization. In Microsoft Active Directory the Group Policy can be used to control many different password requirements. Follow this article to learn how to setup/configure Domain Password Policy in Active Directory.
What is a Domain password policy
The password policy task is to make sure the user’s password is strong, changed over periodic time to prevent cyber attacker cracking the password. Domain Password Policy is Active Directory or AD is Microsoft’s flagship network operating system (NOS) and domain access control service. It is included in the software maker’s server operating systems. Examples include Windows Server 2000 and Windows Server 2003 – or even a cloud domain controller.
A password policy is an Active Directory feature that is used to force all users to adhere to a company’s security policy by setting down rules for the creation and maintenance of the passwords they use to log onto the domain and access its assets.
How to configure the domain password policy
To view and edit the requirements of passwords in the Active Directory Domain, you must use the Group Policy Object (GPO). The domain password policy can be found by navigating to:
Start Menu → Administrative Tools → Group Policy Management
Other ways of doing it are:
- Start →Run → Typing gpmc. msc and clicking “OK.”
- Start →Typing gpmc.msc in the search bar and hitting the ENTER key.
Then, in the console tree list, we need to expand the Forest and Domains nodes. Select your domain – or the one for which the policies are being set.
Double click the domain reveals the GPOs linked to it. We then right click Default Domain Policy and select Edit. A Group Policy Editor console will open. Next, we navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
Double clicking on the policies on the right opens them for editing.
In the next part of this article about how to Setup / Configure Domain Password Policy in Active Directory (Best Practice) is to learn about password policy settings.
What are the default domain password policy settings
By default, the Active Directory domain password policy has the following settings:
- Enforce password history – the default value is 24 passwords. This means users can use a password again until 24 passwords later.
- Maximum password age – the default is 42 days, after which the password expires and must be changed.
- Minimum password age – default is 1 day; the user can’t change the password before 24 hours have passed following its creation.
- Minimum password length – the default is 7, meaning users must have 7 or above characters in their passwords.
- Complexity requirements – by default it is enabled to allow for the creation of new passwords that have special characters and numbers in them to make them harder to break.
- Store passwords using reversible encryption – by default it is disabled; it may need to be enabled if there are any applications that may require usernames and passwords for authentication. They can decrypt the credentials and check authentication.
Microsoft recommended Password Policy settings
In the Security Compliance Toolkit, Microsoft recommends that administrators use the following password policy settings:
- Enforce Password History – 24
- Minimum password age – Not set
- Minimum password length – 14
- Maximum password age – Not set
- Password must meet complexity – Enabled
- Store passwords using reversible encryption – Disabled
These values could serve as a baseline for any administrator who can then tweak them as may be needed.
Now, although some may find creating and using passwords with 14 characters in it is a little too much, they can offset using shorter passwords (say “7 and above”) and then adding password complexity rules like:
- No names – the users can’t use their names or account names as parts of their passwords.
- No name characters – taking it one step further, the policy can prevent the use of two characters of the users’ names in a row.
- Mixing it up – the users must include three different types of characters from numbers (0–9), uppercase and lowercase letters, and special characters (@, $, &, #).
Advantages of a strong domain password policy
To anyone who may be wondering why an administrator might need to go through all this trouble, let us have a look at the advantages of enforcing strong domain password policies. They are:
- Keeping unauthorized users out –and making it hard for them to break into the network.
- Stopping users with weak passwords from logging in – and posing a security threat by giving hackers a weak point to exploit.
- Reduce the chances of users’ passwords being compromised – both by asking them to change them often and ensuring they use complex passwords; if good policies are adopted, complex passwords are truly hard to crack even when the latest hacking tools are involved.
- Stopping brute force attacks by disabling accounts after successive failed login attempts – suspicious login attempts can be thwarted after a few trials.
These are some ways by which adopting strong policies help protect a network and its connected digital assets.
Password Policy best practices
- Establishing password complexity requirements that are, well, complex.
- Enforcing a password history policy that looks back to the last 10 passwords (at least) of a user.
- Resetting local admin passwords every 180 days; also, resetting all device account passwords during maintenance at least once per year.
- Requiring passwords for domain administrators’ accounts to be at least 15 characters long.
- Setting up email notifications to let users know passwords are about to expire so they can be prepared when that morning finally arrives and avoid downtimes.
- Using banned password lists to stop users from going for passwords like “1234567”, “P@ssw0rd”.
- Ensuring other enterprise applications protect stored and transferred passwords using encryption – during at rest or in transmission – to ensure hackers won’t crack them from that side.
- Automatically disabling accounts for users that have left the company by including it in their termination process.
At the very least, it is wise to apply multi-factor authentication (MFA) to mitigate the security risks of lost, stolen, and misused passwords.
Best Methods for password and authentication
Many administrators make the mistake of taking their Active Directory administration tasks seriously while completely ignoring the security awareness levels of their users.
Earlier, we said that the weakest link in a network is always the user. Well, there is a way of strengthening this link and it is by creating awareness, using regular refresher training, and reaching out to users via newsletters and similar media.
The messages being sent across should include advice like:
- Do not write your password down – never.
- Do not use portable drives to store sensitive data – sensitive data shouldn’t leave the premises of the organization that owns it. It should be stored on the company’s devices at all times.
- Do not plug in USB and other storage devices into the corporate network – this applies double when you do not know who the owner of the device is. This method – throwing USB drives near a target network – is such a common and very effective hacking method that it even has a name: USB Drop Attack.
- If there is an absolute need for using USB drives, then the ones used on the network should never leave the premises and it is advised that they are always encrypted.
- Never leave your laptop unattended in a public place and even in an office, make sure you lock your screen when you’re away – even for “just a few.”
- Use biometric authentication – it is there for a reason, and it is truly unique to you.
- Keep your computer updated – a simple thing you can do is not interrupt updates as they happen; it might be an annoyance for a few minutes, but it is always worth it. If you can, ask the administrator to schedule the updates for after hours, if they haven’t already.
Simple reminders of these vital lessons help administrators with their jobs. They should therefore lead the efforts to create and keep a tech-savvy user base.
Great! We have learned more about How to Setup / Configure Domain Password Policy in Active Directory (Best Practice). We shall summarize.
How to Setup / Configure Domain Password Policy in Active Directory Conclusion
The domain network targets the users in their network. If the the account username and password is the only security measure protecting their computers, there is a risk.
If the username will be easy to guess the passwords shouldn’t be weak. They passwords need to be complex and difficult to guess.
In Active Directory the Default Password Policy is already configured to protect users from creating easy passwords within an AD domain.
With certain applications please make sure if you are required to adjust this password policy. When you Setup / Configure Domain Password Policy in Active Directory always keep in mind the best practices.
The domain password policy is just one of many ways you can keep your network safe. And the person in charge of protecting the network needs to have full knowledge of what they are doing.
