• Home

  • Documents

  • Security and compliance: Robust password solutions for ... · End user password reset •Web-based,...
34
Security and compliance: Robust password solutions for Active Directory Derek Melber [email protected]

Security and compliance: Robust password solutions for ... · End user password reset •Web-based, not Microsoft GUI based –Allows for easier communication with user –Allows

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

  • Security and compliance:

    Robust password solutions for

    Active Directory

    Derek Melber

    [email protected]

  • About Your Speaker

  • • Derek Melber

    [email protected]

    • 15 time MVP (AD and Group Policy)

    • Online Resources

    • ManageEngine Active Directory Blog

    • Security Hardening Site

    • 2017 World Tour

    • London, Scotland

    • Dubai, Johannesburg, Munich, Dusseldorf, Hamburg

    • Barcelona, Madrid, Lisbon

    • Sydney, Brisbane

    • Stockholm, Malmo

    • ...

    About Derek Melber

  • Agenda

    • Default Password Policy

    • Fine Grained Password Policies

    • Password Attack Strategies

    • Password Policies using ADSSP

    • End user self service password reset

  • Default Password Policy

  • Default Password Policy

    • Configured using Group Policy

    – Default Domain Policy

    – Linked to AD domain node

  • GPO Password Policy Q&A

    How many password policies can you have in a single domain?

  • GPO Password Policy Q&A

    Can you link a GPO containing a password policy to the Domain

    Controllers OU?

    What is the result?

  • GPO Password Policy Q&A

    Can you link a GPO containing a password policy to an OU

    containing users?

    What is the result?

  • GPO Password Policy Q&A

    Are there any options to increase the security of the password policy

    beyond what is in the Account Policies section of a GPO?

  • Fine Grained Password Policies

  • Fine Grained Password Policies

    • Not configured in Group Policy

    • Not configured by default

    • Configured using ADSIEdit

  • Fine Grained Password Policies

  • FGPP Password Policy Q&A

    How many password policies can you have in a single domain?

  • FGPP Password Policy Q&A

    How are FGPP applied to users?

  • FGPP Password Policy Q&A

    Are there any options to increase the security of the password policy

    beyond what the FGPP wizard prompts you for?

  • Password attack strategies

  • Password attack strategies

    • Dictionary attack

    • Brute force attack

    • Rainbow table attack

    • Pass the Hash (PtH) attack

    • Pass the Ticket (PtT) attack

  • Password Policies

    using ADSSP –

    “The Enforcer”

  • Password policy enforcer

    interaction

    • If user has no Password Policy Enforcer – GPO based password policy OR – Fine-grained password policy

    • If user has Password Policy Enforcer – GPO based password policy + Password Policy

    Enforcer OR – Fine-grained password policy + Password Policy

    Enforcer (Note: More secure setting if overlap)

  • Password policy enforcer features

  • Password policy enforcer features

    • Key features for securing passwords

    – 4 of 4 character types

    – Minimum password length over 15 characters

    – Disallow 5 continuous characters from old password

    – Dictionary import/verification

    – Enforce the policy in GINA…

    – Show policy requirements…

  • End user self service

    password reset

  • ADSelfService Plus Policies

    • Defines user interaction with ADSelfService Plus

    • Policy components need to be defined, to ensure security – Self Service features for user

    – Which users will receive policy

    – Multifactor authentication for password manipulation

    – Advanced configurations

  • ADSelfService Plus Policies

    • Self Service features

  • ADSelfService Plus Policies

    • Which users will receive policy

  • ADSelfService Plus Policies

    • Multifactor authentication for password manipulation

  • Enrolling users into

    ADSelfService Plus

    • Users need to enroll to be “known” by system

    – Enrollment can be more manual for user • Send email only

    • User must logon to ADSSP

    – Enrollment can be more automated for user • Send email

    • Single Sign On enabled

    – Enrollment can be forced before using computer • Forced Enrollment

    • Single Sign On enabled

  • Enrolling Users into

    ADSelfService Plus

  • End user password reset

    • Web-based, not Microsoft GUI based

    – Allows for easier communication with user

    – Allows for user to reset password remotely

    • Features include

    – Custom message

    – Message can include URL link

    – Administrative Tools – Gina/MAC

  • End user unlock

    • Web-based!

    • Shows the current password policy to ensure easy password entry for end user

    • CAPTCHA support

  • Summary

    • Default Password Policy

    • Fine Grained Password Policies

    • Password Attack Strategies

    • Password Policies using ADSSP

    • End user self service password reset

  • Thank You!

    Questions?

    [email protected]


Single User – Forgotten Password - Standard Bank International/Manage... · Single User – Forgotten Password Password Reset Guide. 2 1 On the login screen for Single User, click

Single User – Forgotten Password - Standard Bank International/Manage... · Single User – Forgotten Password Password Reset Guide. 2 1 On the login screen for Single User, click

Documents
Password protected and each user is assigned their own password

Password protected and each user is assigned their own password

Documents
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s

Documents
User Authentication and Passwords...Password Guessing Against Single UserGain knowledge about user and use that to guess password I Countermeasures: control password selection; train

User Authentication and Passwords...Password Guessing Against Single UserGain knowledge about user and use that to guess password I Countermeasures: control password selection; train

Documents
Password Safe PSRUN User Guide 21

Password Safe PSRUN User Guide 21

Documents
ADSL Modem User and Password

ADSL Modem User and Password

Documents
USER NAME: PASSWORD

USER NAME: PASSWORD

Documents
Snapchat User Manual No Password

Snapchat User Manual No Password

Documents
User Preferences Changing Your Password

User Preferences Changing Your Password

Documents
User Guide for myHR2u Self Password Reset Please ... - Maybank · PDF filemyHR2u Self Reset Password User Guide | V2.0 | Last Update:26.06.2014 Page 1 User Guide for myHR2u Self Password

User Guide for myHR2u Self Password Reset Please ... - Maybank · PDF filemyHR2u Self Reset Password User Guide | V2.0 | Last Update:26.06.2014 Page 1 User Guide for myHR2u Self Password

Documents
SA02 - User and Password Management Techniques

SA02 - User and Password Management Techniques

Software
1. Creating a Username and Password (User ID & Password)

1. Creating a Username and Password (User ID & Password)

Documents
Mass User Password Reset Using Lsmw

Mass User Password Reset Using Lsmw

Documents
Password Management Before User Provisioning

Password Management Before User Provisioning

Technology
Password Protection User Manual (CarryItEasy.exe).pdf

Password Protection User Manual (CarryItEasy.exe).pdf

Documents
Password Manager User Guide - Lend Lease … Lease 9 /13/2013 Password Manager User Guide Password Manager Guide This guide provides the user a step by step process for unlocking your

Password Manager User Guide - Lend Lease … Lease 9 /13/2013 Password Manager User Guide Password Manager Guide This guide provides the user a step by step process for unlocking your

Documents
ONE login screen ONE Password ONE User ID User can … · • User can RESET own password . ... • Logging on this way allows you to work in LEO and Business Objects with one sign-on

ONE login screen ONE Password ONE User ID User can … · • User can RESET own password . ... • Logging on this way allows you to work in LEO and Business Objects with one sign-on

Documents
Email user guide Having a strong password allows other users to struggle to guess. To make a strong password you should use up to 12 letters and 1 or 2

Email user guide Having a strong password allows other users to struggle to guess. To make a strong password you should use up to 12 letters and 1 or 2

Documents
User s behaviour on password selectingkgk.uni-obuda.hu/.../files/User-s-behaviour-on-password-selecting.pdf · User’s behaviour on password selecting Msc.Ing. Nertila Hoxha Content

User s behaviour on password selectingkgk.uni-obuda.hu/.../files/User-s-behaviour-on-password-selecting.pdf · User’s behaviour on password selecting Msc.Ing. Nertila Hoxha Content

Documents
How to Restore Default Password User Manual Reset Password...HIKVISION EUROPE B.V. How to Restore Default Password User Manual (used for restore default password of DVR’s, NVR’s

How to Restore Default Password User Manual Reset Password...HIKVISION EUROPE B.V. How to Restore Default Password User Manual (used for restore default password of DVR’s, NVR’s

Documents
ev360 ULTIMATE USER GUIDE… · password that you chose when you created your account on ev360ultimate.com is the same username and password that allows ev360 Ultimate to load. Note:

ev360 ULTIMATE USER GUIDE… · password that you chose when you created your account on ev360ultimate.com is the same username and password that allows ev360 Ultimate to load. Note:

Documents
Change User Password · User Password. 1 Enter the user’s ID and new password, and confirm 2 the new password. Finally, click Submit Change. Once you change a user’s password,

Change User Password · User Password. 1 Enter the user’s ID and new password, and confirm 2 the new password. Finally, click Submit Change. Once you change a user’s password,

Documents
Retrieve User Name/Reset Password...PP 1 Retrieve User Name/Reset Password 2020/04/14 15:35 Retrieve User Name/Reset Password (Recuperar nombre de usuario/Restablecer contraseña)

Retrieve User Name/Reset Password...PP 1 Retrieve User Name/Reset Password 2020/04/14 15:35 Retrieve User Name/Reset Password (Recuperar nombre de usuario/Restablecer contraseña)

Documents
SAP checks if USER ID & Password combination is valid. No identification. User requests Log-on, enters USER ID & Password, (not necessarily their own)!

SAP checks if USER ID & Password combination is valid. No identification. User requests Log-on, enters USER ID & Password, (not necessarily their own)!

Documents
User Dan Password SuperWifi UNILA FT

User Dan Password SuperWifi UNILA FT

Documents
USER MANUAL ONLINE TRADING ICDX - Sinarmas Futures · Masukkan user id dan password yang sudah diberikan Selanjutnya diminta untuk merubah password. Masukan kata sandi (password)

USER MANUAL ONLINE TRADING ICDX - Sinarmas Futures · Masukkan user id dan password yang sudah diberikan Selanjutnya diminta untuk merubah password. Masukan kata sandi (password)

Documents
Changing the 'root' Super User Password

Changing the 'root' Super User Password

Documents
3 Roadway Maintenance Services Welcome to 3M TrafficSafetyNow.com ←Password Protected ←Enter your user name USER NAME ←Enter your password PASSWORD Click

3 Roadway Maintenance Services Welcome to 3M TrafficSafetyNow.com ←Password Protected ←Enter your user name USER NAME ←Enter your password PASSWORD Click

Documents
1 Password Reset Effortless, Self service User Password Reset

1 Password Reset Effortless, Self service User Password Reset

Documents
Single User - Forgotten Password - Standard Bank

Single User - Forgotten Password - Standard Bank

Documents