Understanding Security Policies

Lesson 3
Objectives
Password
• Much of today’s data protection is based on
the password.
• One basic component of your information
security program is ensuring that all
employees select and use strong passwords.
• The strength of a password can be determined
by looking at the password’s length,
complexity, and randomness.
Password Complexity
• Password complexity involves the characters
used to make up a password.
• A complex password uses characters from at
least three of the following categories:
– English uppercase characters (A through Z)
– English lowercase characters (a through z)
– Numeric characters (0 through 9)
– Nonalphanumeric characters (!, @, #, $, %, ^,
&, etc.)
Password Length
• The length of a password is a key component
of its strength.
• Password length is the number of characters
used in a password.
• The first step towards Brute Force Attack
prevention should be longer password length.
Time Between Password Changes
• Time between password changes can be defined by
two settings:
– Minimum Password Age
– Maximum Password Age
The minimum password age setting controls how many days
a user must wait before they can reset their password. This can be
set to a value from1 to 998 days. If set to 0, passwords can be
changed immediately
The maximum password age setting controls the maximum
period of time permitted before a user is forced to reset their
password. This can be set from 1 to 999 days, or to 0 if
passwords are set to never expire
Password History
• Password history is the setting that determines
the number of unique passwords that must be
used before a password can be re-used.
• This setting prevents users from recycling the
same passwords through a system.
• The value of this setting can be between 0 and
24; if this value is set to 0, enforce password
history is disabled.
Password Policy
Account Lockout
• Account lockout refers to the number of
incorrect logon attempts permitted before a
system locks an account.
• Microsoft provides three separate settings with
respect to account lockout:
– Account lockout duration
– Account lockout threshold
– Reset account lockout counter after
continued
• Account lockout duration You can specify the time in minutes that the
account can be locked out. For example, if the account locks out for two
hours, the user can try again after that time. The default is no lockout.
When you define the policy, the default time is 30 minutes. The setting can
be from 0 to 99,999. When set to 0, the account will remain locked out
until an administrator manually unlocks it.
• Account lockout threshold This specifies the number of failed attempts at
logon a user is allowed before the account is locked out (for example,
three). After the threshold has been reached, the account will be locked out.
If this value is set to 0, the account will not lock out. This setting can be
from 0 to 999.
• Reset account lockout counter after You can choose to have the account
lockout counter reset after a number of minutes. At that time, the count will
start over at one.
Account Lockout Policy
Using Password Group Policies to Enforce
Password Security
• A Group Policy Object (GPO) is a set of rules
which allow an administrator granular control
over the configuration of objects in Active
Directory (AD), including user accounts,
operating systems, applications, and other AD
objects.
Password Settings Objects
• Fine-grained password policies allow you to specify
multiple password policies within a single domain so that
different restrictions for password and account lockout
policies can be applied to different sets of users in a
domain.
• To use a fine-grained password policy, the domain
functional level must be at least Windows Server 2008.
To enable fine-grained password policies, first create a
Password Settings Object (PSO). Then, configure the
same settings that are configured for the password and
account lockout policies.
Establishing Password Procedures (1 of 2)
• Every organization should develop a security policy,
which is a written document that describes how a
system, organization, or other entity is secured.
• The security policy should include an acceptable use
policy, which describes the constraints and practices
that users must agree to in order to access the
corporate network, corporate resources, and the
internet.
Establishing Password Procedures (2 of 2)
• It is also important to specify a password policy, which
dictates the length and complexity requirements for passwords
and how often a password should be changed.
• It can also specify whether multi-factor authentication should
be used and whether a lockout policy is used when a user has
attempted to log on several times using the incorrect password.
Common Attack Methods
• Passwords have long been recognized as one
of the weak links in many security programs.
– First, you are completely reliant on users in the
selection of passwords.
– Second, even strong passwords are vulnerable
to attack through a variety of different
mechanisms.
Dictionary and Brute Force Attacks
• A dictionary attack uses a dictionary
containing an extensive list of potential
passwords that the attacker then tries in
conjunction with a user ID in an attempt to
guess the appropriate password.
• Another, more crude type of attack—called a
brute force attack—doesn’t rely on lists of
passwords, but rather tries all possible
combinations of permitted character types.
Physical Attacks
• Anytime your computer can be physically accessed
by an attacker, that computer is at risk.
• Physical attacks on your computer can completely
bypass almost all security mechanisms, such as by
capturing the passwords and other critical data
directly from the keyboard when a software or
hardware keylogger is used.
• In fact, if your encryption key passes through a
keylogger, you might find that even your encrypted
data is jeopardized.
CRACKED PASSWORDS
• A cracked password frequently relies on more
than just a password attack. In a cracked
password attack, the attacker gets access to an
encrypted password file from a workstation or
server.
• Once they have access, the attacker will start
running password cracking tools against the
file
Sniffers
• Sniffers are specially designed software (and
in some cases hardware) applications that
capture network packets as they traverse a
network, displaying them for the attacker.
• Sniffers are valid forms of test equipment,
used to identify network and application
issues, but the technology has been rapidly co-
opted by attackers as an easy way to grab
logon credentials.
Summary (1 of 5)
• The strength of a password can be determined
by looking at the password’s length, complexity,
and randomness.
• A complex password uses characters from at
least three of the following categories:
uppercase, lowercase, numeric characters, and
nonalphanumeric characters.
• Account lockout refers to the number of
incorrect logon attempts permitted before a
system will lock an account.
Summary (2 of 5)
• The Minimum Password Age setting controls how
many days users must wait before they can reset their
password.
• The Maximum Password Age setting controls the
maximum period of time that can elapse before users
are forced to reset their password.
• A Group Policy Object (GPO) is a set of rules that
allow an administrator granular control over the
configuration of objects in Active Directory (AD),
including user accounts, operating systems,
applications, and other AD objects.
Summary (3 of 5)
• Passwords have long been recognized as one
of the weak links in many security programs.
• During a dictionary attack, the attacker tries an
extensive list of potential passwords in
conjunction with a user ID to try to guess the
appropriate password.
• Brute force attacks try all possible
combinations of permitted character types in
an attempt to determine a user’s password.
Summary (4 of 5)
• Physical attacks on a computer can completely
bypass almost all security mechanisms, such as by
capturing passwords and other critical data directly
from a keyboard when a software or hardware
keylogger is used.
• In a password crack attack, attackers get access to an
encrypted password file from a workstation or server.
Once they have access to this file, attackers start
running password cracking tools against it.
Summary (5 of 5)
• If an attacker can gain access to your internal
network, your wireless network, or even an internet
access point used by your employees, they have the
ability to use a specialized tool known as a sniffer to
try to intercept unencrypted passwords.
• While not as prevalent an issue as it was in times
past, there is still the possibility that someone could
sit down at your computer and guess your password.