Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Security and compliance:
Robust password solutions for
Active Directory
Derek Melber
About Your Speaker
• Derek Melber
• 15 time MVP (AD and Group Policy)
• Online Resources
• ManageEngine Active Directory Blog
• Security Hardening Site
• 2017 World Tour
• London, Scotland
• Dubai, Johannesburg, Munich, Dusseldorf, Hamburg
• Barcelona, Madrid, Lisbon
• Sydney, Brisbane
• Stockholm, Malmo
• ...
About Derek Melber
Agenda
• Default Password Policy
• Fine Grained Password Policies
• Password Attack Strategies
• Password Policies using ADSSP
• End user self service password reset
Default Password Policy
Default Password Policy
• Configured using Group Policy
– Default Domain Policy
– Linked to AD domain node
GPO Password Policy Q&A
How many password policies can you have in a single domain?
GPO Password Policy Q&A
Can you link a GPO containing a password policy to the Domain
Controllers OU?
What is the result?
GPO Password Policy Q&A
Can you link a GPO containing a password policy to an OU
containing users?
What is the result?
GPO Password Policy Q&A
Are there any options to increase the security of the password policy
beyond what is in the Account Policies section of a GPO?
Fine Grained Password Policies
Fine Grained Password Policies
• Not configured in Group Policy
• Not configured by default
• Configured using ADSIEdit
Fine Grained Password Policies
FGPP Password Policy Q&A
How many password policies can you have in a single domain?
FGPP Password Policy Q&A
How are FGPP applied to users?
FGPP Password Policy Q&A
Are there any options to increase the security of the password policy
beyond what the FGPP wizard prompts you for?
Password attack strategies
Password attack strategies
• Dictionary attack
• Brute force attack
• Rainbow table attack
• Pass the Hash (PtH) attack
• Pass the Ticket (PtT) attack
Password Policies
using ADSSP –
“The Enforcer”
Password policy enforcer
interaction
• If user has no Password Policy Enforcer – GPO based password policy OR – Fine-grained password policy
• If user has Password Policy Enforcer – GPO based password policy + Password Policy
Enforcer OR – Fine-grained password policy + Password Policy
Enforcer (Note: More secure setting if overlap)
Password policy enforcer features
Password policy enforcer features
• Key features for securing passwords
– 4 of 4 character types
– Minimum password length over 15 characters
– Disallow 5 continuous characters from old password
– Dictionary import/verification
– Enforce the policy in GINA…
– Show policy requirements…
End user self service
password reset
ADSelfService Plus Policies
• Defines user interaction with ADSelfService Plus
• Policy components need to be defined, to ensure security – Self Service features for user
– Which users will receive policy
– Multifactor authentication for password manipulation
– Advanced configurations
ADSelfService Plus Policies
• Self Service features
ADSelfService Plus Policies
• Which users will receive policy
ADSelfService Plus Policies
• Multifactor authentication for password manipulation
Enrolling users into
ADSelfService Plus
• Users need to enroll to be “known” by system
– Enrollment can be more manual for user • Send email only
• User must logon to ADSSP
– Enrollment can be more automated for user • Send email
• Single Sign On enabled
– Enrollment can be forced before using computer • Forced Enrollment
• Single Sign On enabled
Enrolling Users into
ADSelfService Plus
End user password reset
• Web-based, not Microsoft GUI based
– Allows for easier communication with user
– Allows for user to reset password remotely
• Features include
– Custom message
– Message can include URL link
– Administrative Tools – Gina/MAC
End user unlock
• Web-based!
• Shows the current password policy to ensure easy password entry for end user
• CAPTCHA support
Summary
• Default Password Policy
• Fine Grained Password Policies
• Password Attack Strategies
• Password Policies using ADSSP
• End user self service password reset
Thank You!
Questions?