Never before in the history of computing has security been of as much concern as it is today. It seems odd, then, that the basic mechanisms we use to guard against unauthorized access to networks, and more specifically the systems hosted on them, have been around since the dawn of electronic computing.
In this, the first of a three part look at increasing authentication security on your Windows Server 2003 based Active Directory environment, we'll look at how you can use the built in authentication mechanism – passwords – with maximum effect. We'll continue this discussion in a second, before moving on in part three to look at what's involved in implementing more advanced authentication mechanisms like smartcards and biometrics.
Using What You Have Already Got - Passwords
Although Hollywood movie directors would have us believe that any password can be cracked in less than 20 seconds by a tenth grade computer club member, the reality is that passwords, or more accurately passphrases, still offer enough protection for the majority of networks. That said, the difference in security strength between a simple password with no regulatory system to back it up and a complex password with fully configured management policies and account lockout systems, is huge. Fortunately, Windows Server 2003 provides all of tools needed to implement these policies. If you haven't already configured them, that's the first step toward a more secure authentication system.
The Password Policy defines how the system monitors and controls password usage. It provides a variety of options to make sure that users are using strong passwords, changing them frequently, and not reusing them too often. The Password policy for the domain is configured through the Domain Security Policy, which can be accessed directly from the Administrative Tools menu on a Windows Server 2003 system. It should be noted that the policy can also be configured from the Default Domain Controller Security Policy, so you'll need to understand Group Policy inheritance in order to implement it effectively.
You can see the Password Policy node of the Default Domain Security Policy in Figure 1. This screenshot shows the settings from a Windows Server 2003 system immediately following its promotion to a domain controller.
(Click for a larger image)
With 'complexity requirements' turned on, passwords that users provide must meet certain criteria. The password cannot contain all or part of the users account name, must be at least six characters in length, and must contain at least three of the following criteria: upper or lower case characters, numbers, or special characters like ! or #.
You can take the password complexity requirements even further by creating your own password filters, but even with the default complexity requirements, users will have to provide passwords that are considered very strong. Any password that combines different characters and characteristics makes many traditional password cracking techniques largely ineffective.
The only other setting in the Password Policy that is worthy of special mention is the Store Passwords Using Reversible Encryption option. This is one that should be left disabled unless there is a very specific (and good) reason to do so. Enabling this option allows other applications, for example a Web-based inventory system, to access the user's password for authentication purposes. Sounds great, but if an external application can access the users password, it's not a huge leap to believe that other, less legitimate uses could also be made of this capability.
So what makes a strong password policy?
While there is no hard or fast answer to that question, the default settings provided on Windows Server 2003 are a good start. A minimum password length of seven characters is considered strong enough for most environments, but upping that minimum to eight provides even more security. The number of available combinations for a password goes up exponentially when an extra character is added, so eight characters is significantly more secure than seven.
Allowing 42 days between password changes might be a little on the long side - 28 might be a more prudent figure. Having a password expiration limit of 30 days might seem like a strong choice, but that would mean that every so often passwords would expire on a Friday. Passwords changed on a Friday are often not remembered on a Monday, so this may lead to lots of help-desk calls. As employees often start their employment on a Monday, setting a password expiration cycle that works on multiples of 7 days means that most employees subsequently change passwords on a Monday, and have the rest of the work week to use them and get them embedded in their memories. Of course there will be exceptions to this, such as people who change passwords or start their employment midweek, but there isn't much you can do about that.