Because SharePoint Server 2007 requires domain services for authentication, it is wise to have password policies in place for your network. If you have any policies in place in your organization, chances are good that you already have policies that address the issues listed in this section. However, the implementation of SharePoint Server 2007 is an appropriate time to review those policies, because most of the information held in SharePoint Server 2007 can be compromised by obtaining a SharePoint-pervasive username and password combination.
Like most policy domain areas, there are subareas that should be addressed as the policies are written. Password policies are no exception. The following are some of the issues to be considered when developing your password policies:
Minimum password length
Password complexity and strength
Prohibition of reusing old passwords
Prohibition of written storage of passwords
Prohibition against printing or displaying passwords
Periodic forced change in passwords
Method to manage expired passwords
Authorized means to transmit new passwords to remote users
Limits on consecutive attempts to enter a password
Acceptance or prohibition of single sign-on services
Prohibition of passwords sent through e-mail
Requirement for encrypted storage of passwords
Reliance on domain services for authentication
Requirement for non-anonymous authentication before access to information is allowed
Use of duress passwords (Duress passwords trigger scripts during a duress situation-that is, if a gun is pointed at your head and you are asked to log on to the server, a duress password would log you on, but because of the password entered, a script would be triggered to delete all predetermined sensitive data.)
Requirement to change all administrative passwords if any have been compromised
Password sharing prohibition
User responsibility for all actions taken with his username and password combination
Security notice in logon system banner
Prohibition against leaving systems without logging off or locking the system
Use of biometric devices required for logon to portal
Use of smart-card devices required for logon to portal system
This chapter introduces issues that you should consider when writing your policies. Each issue introduced might or might not apply to your environment. For example, some organizations might have a strong password complexity policy, while another environment might not have one because of culture, industry, or other factors. The recommendation here isn't that each issue be implemented as presented, only that each issue be considered as the policies are written.
Most of these issues relating to password policies should be covered in your current information security policies, but one that directly affects SharePoint Server 2007 is the single sign-on policy. If your organization prohibits single sign-on capabilities, meaning that users must log on to each application that requires unique authentication, you will be unable to use the single sign-on feature in SharePoint Server 2007.
Also, the Active Directory Mode feature of Windows SharePoint Services needs to be considered in a Windows SharePoint Services-only installation. Given that this feature allows site administrators the ability to create new user accounts in Active Directory, if you are going to use this feature, you should have policies surrounding who can be a site administrator and under what circumstances a new user account can be created in Active Directory from a Windows SharePoint Services site.
In addition, if you are going to use SharePoint Server 2007 in an extranet environment-especially for its customer-relationship features-in which users outside your company will be authenticating in your domain to access their portion of the portal site, implementation of a policy specifying how you will securely transmit passwords to those users and whether or not e-mail can be used will have paramount importance.
Moreover, in situations in which you will be sharing sensitive information with other companies (maybe even competitors), you will probably want a robust set of password policies to be required by all parties to the agreement, necessitating the development of such policies before the project can begin.
As mentioned previously, much of the information in SharePoint Server 2007 is secured only through username and password combinations. The compromise of passwords in your environment could lead to sensitive information being exposed to the wrong people, and this, in most cases, would be disastrous.