Security and compliance: Robust password solutions for ... · End user password reset •Web-based,...
Transcript of Security and compliance: Robust password solutions for ... · End user password reset •Web-based,...
-
Security and compliance:
Robust password solutions for
Active Directory
Derek Melber
-
About Your Speaker
-
• Derek Melber
• 15 time MVP (AD and Group Policy)
• Online Resources
• ManageEngine Active Directory Blog
• Security Hardening Site
• 2017 World Tour
• London, Scotland
• Dubai, Johannesburg, Munich, Dusseldorf, Hamburg
• Barcelona, Madrid, Lisbon
• Sydney, Brisbane
• Stockholm, Malmo
• ...
About Derek Melber
-
Agenda
• Default Password Policy
• Fine Grained Password Policies
• Password Attack Strategies
• Password Policies using ADSSP
• End user self service password reset
-
Default Password Policy
-
Default Password Policy
• Configured using Group Policy
– Default Domain Policy
– Linked to AD domain node
-
GPO Password Policy Q&A
How many password policies can you have in a single domain?
-
GPO Password Policy Q&A
Can you link a GPO containing a password policy to the Domain
Controllers OU?
What is the result?
-
GPO Password Policy Q&A
Can you link a GPO containing a password policy to an OU
containing users?
What is the result?
-
GPO Password Policy Q&A
Are there any options to increase the security of the password policy
beyond what is in the Account Policies section of a GPO?
-
Fine Grained Password Policies
-
Fine Grained Password Policies
• Not configured in Group Policy
• Not configured by default
• Configured using ADSIEdit
-
Fine Grained Password Policies
-
FGPP Password Policy Q&A
How many password policies can you have in a single domain?
-
FGPP Password Policy Q&A
How are FGPP applied to users?
-
FGPP Password Policy Q&A
Are there any options to increase the security of the password policy
beyond what the FGPP wizard prompts you for?
-
Password attack strategies
-
Password attack strategies
• Dictionary attack
• Brute force attack
• Rainbow table attack
• Pass the Hash (PtH) attack
• Pass the Ticket (PtT) attack
-
Password Policies
using ADSSP –
“The Enforcer”
-
Password policy enforcer
interaction
• If user has no Password Policy Enforcer – GPO based password policy OR – Fine-grained password policy
• If user has Password Policy Enforcer – GPO based password policy + Password Policy
Enforcer OR – Fine-grained password policy + Password Policy
Enforcer (Note: More secure setting if overlap)
-
Password policy enforcer features
-
Password policy enforcer features
• Key features for securing passwords
– 4 of 4 character types
– Minimum password length over 15 characters
– Disallow 5 continuous characters from old password
– Dictionary import/verification
– Enforce the policy in GINA…
– Show policy requirements…
-
End user self service
password reset
-
ADSelfService Plus Policies
• Defines user interaction with ADSelfService Plus
• Policy components need to be defined, to ensure security – Self Service features for user
– Which users will receive policy
– Multifactor authentication for password manipulation
– Advanced configurations
-
ADSelfService Plus Policies
• Self Service features
-
ADSelfService Plus Policies
• Which users will receive policy
-
ADSelfService Plus Policies
• Multifactor authentication for password manipulation
-
Enrolling users into
ADSelfService Plus
• Users need to enroll to be “known” by system
– Enrollment can be more manual for user • Send email only
• User must logon to ADSSP
– Enrollment can be more automated for user • Send email
• Single Sign On enabled
– Enrollment can be forced before using computer • Forced Enrollment
• Single Sign On enabled
-
Enrolling Users into
ADSelfService Plus
-
End user password reset
• Web-based, not Microsoft GUI based
– Allows for easier communication with user
– Allows for user to reset password remotely
• Features include
– Custom message
– Message can include URL link
– Administrative Tools – Gina/MAC
-
End user unlock
• Web-based!
• Shows the current password policy to ensure easy password entry for end user
• CAPTCHA support
-
Summary
• Default Password Policy
• Fine Grained Password Policies
• Password Attack Strategies
• Password Policies using ADSSP
• End user self service password reset
-
Thank You!
Questions?