Lesson 1:Password Protection

No matter what operating systems you use on your networked computers, you probably use passwords to control user access to specific resources. There are some sophisticated identification tools available for those networks that require extraordinary amounts of security. For example, one security mechanism requires that a smart card—a credit card–like device with a magnetic strip—be run through a card reader connected to a computer for a user to access the network. There are also biometric devices on the market that can identify users by scanning unique physical characteristics, such as thumbprints or retina patterns. However, most networks don't require such elaborate security measures. Instead, most network administrators require users to supply passwords to access network drives, server applications, and other resources.

After this lesson, you will be able to

• Understand what types of passwords are most secure
• Describe the most common password enforcement policies used by Microsoft Windows 2000 and other operating systems

Estimated lesson time: 20 minutes

Using passwords can be an excellent method of securing network resources, or it can be worse than useless. The usefulness of password protection is largely determined by the policies that the network's administrators establish to govern the creation of passwords. When administrators give users too much freedom to create their own passwords, the users' tendencies are to specify short, simple passwords that are easy to remember, and to rarely, if ever, change them. For example, some users create passwords that are the same as their user names or that consist of letters or numbers that are easy to guess, such as their initials or their birthday. Others use no password at all. This defeats the purpose of having a password because these are the first things that an unauthorized user will try to guess.

Of course, it is also possible to carry password assignment to the opposite extreme. Some administrators assign passwords to their users. This ensures the selection of better passwords, but it can backfire as well. If a security-conscious administrator decides to assign passwords that consist of long, random sequences of letters and numbers, users are likely to have trouble remembering them. As a result, users often write down their passwords and leave them in obvious places, such as taped to their monitors. This solution is no better than creating a bad password in the first place and it adds to the administrator's workload.

There is a middle ground between these two extremes, however. Most operating systems provide network administrators with tools they can use to impose password policies on their users, such as forcing them to choose passwords of a specific length and change them at regular intervals. This enables users to select their own passwords within parameters established by the administrator. The results are a password that the user can remember more easily and less work for the network administrator. Setting effective password policies requires psychological as well as technological insight. The idea is to set policies that are strict enough to maintain adequate security without inciting open revolt from users. Some of these password policy tools are discussed in the following sections.

Password policies are typically available in network operating systems that use some kind of directory service to authenticate users and grant them access to network resources. For example, you can set password policies on Windows 2000 and Microsoft Windows NT domain controllers and Novell NetWare servers, but you won't find them in Microsoft Windows Me, Microsoft Windows 98, or Microsoft Windows 95.

User Account Password Settings

When you create a new user account in Windows 2000 or Windows NT, you are presented with a series of check boxes that you can use to control the most basic elements of the password policies for the account, as shown in Figure 13.1.

Figure 13.1  The Windows 2000 New Object – User dialog box

The following check boxes are used to control the account's password policies:

• User Must Change Password At Next Logon.  This option enables an administrator to assign the same password to each new user account created and forces the user to change that password during the first logon. In this way, the administrator can password-protect the new accounts without having to track individual password assignments.
• User Cannot Change Password.  This option prevents users from changing the password assigned to the account during its creation. If an administrator elects to assign passwords to users, activating this option on all accounts ensures that he or she retains control over the password assignments.
• Password Never Expires.  This option overrides other policies that cause passwords to expire after a specified length of time. Users can still change their passwords at will, but they are not required to do so.
• Account Is Disabled.  This option allows the administrator to temporarily prevent access to an account, eliminating the need to delete and re-create the account.

Specifying Password Lengths

When given free rein to choose any passwords they like, many users opt for short passwords because they are easier to remember and type. Some users even elect to use no password at all. Because short passwords are easier to remember, however, they are also easier to guess. One of the most basic password policies provided in most network operating systems is the ability to specify a minimum password length. A longer password is mathematically more difficult to decipher. The Windows 2000 directory service, Active Directory service, supports passwords of up to 104 characters, although passwords this long would hardly be practical. Windows NT supports passwords of up to 14 characters. Generally speaking, a minimum password length of five or six characters is suitable for most networks. Some organizations requiring greater security might force users to specify passwords of eight characters or more.

As with all password policies, length requirements are implemented by operating systems in various ways. In Windows 2000, you set password restrictions using the Group Policy feature. You can apply policies to particular domains or organizational units, as needed, using the interface shown in Figure 13.2. When you activate the Minimum Password Length policy, you specify the minimum number of password characters using the Security Policy Setting dialog box shown in Figure 13.3.

Figure 13.2  The Domain Security Policy dialog box is one of the places where you can implement group policies

Figure 13.3  This Security Policy Setting dialog box controls the Minimum Password Length policy

All of the policies listed in the Domain Security Policy dialog box have their own Security Policy Setting dialog boxes, which you use to enable and configure the individual policies. These dialog boxes have different types of controls, depending on the function of the policy.

Setting Password Change Intervals

Another important factor in password security is the regular changing of passwords. Users sometimes give out their passwords to other users for the sake of convenience and rarely remember to change them afterward. By requiring changes at regular intervals, you prevent passwords from becoming common knowledge. In a typical implementation of this feature, the user sees a special dialog box when logging on after the change interval has expired. The dialog box forces the user to specify a new password before being granted access to the network or other resources.

As explained earlier in this lesson, some administrators assign an initial password to an account to keep it secure and then force users to change that password during their first logon. Along those lines, in Windows 2000 you can configure a Group Policy called Maximum Password Age that forces users to change their passwords at intervals of a specified number of days, as shown in Figure 13.4. A typical setting for this policy ranges anywhere from a week to a month, depending on your security needs.

Figure 13.4  This Security Policy Setting dialog box controls the Maximum Password Age policy

Some users become attached to a particular password, however, and resent having to change it. As a result, these users might change their passwords as directed and then immediately try to change them back to their original values. Windows 2000 anticipates this behavior, however, and includes two additional policies that help to reinforce your intentions. The Enforce Password History policy enables you to specify the number of previous passwords that the operating system is to remember for each user. When users change their passwords as required by the Maximum Password Age policy, they cannot reuse any of the previous passwords stored in the history. This prevents users from switching back and forth between two passwords when they make the required changes. The Minimum Password Age policy forces users to wait for a specified number of days after changing their passwords before they can change them again. This prevents users from rapidly changing their passwords several times in a few minutes in an attempt to outmaneuver the history feature.

Enforcing Password Complexity

When intruders try to crack passwords, they often begin by making a series of guesses based on what they can find out about the person whose account they are trying to access. Names of spouses and children, birthdays, initials, and other bits of common knowledge make bad passwords because it usually isn't too difficult for someone to find them out. Less obvious items, such as the name of the pet rabbit you had when you were younger, make better passwords, but it is better still to make your passwords more complex by mixing up the characters in them. For example, most operating systems use passwords that are case sensitive, so mixing uppercase and lowercase letters (in a pattern that isn't too obvious) can make a simple password much harder to guess. FluFFy is much better than fluffy, for example.

It is also important to remember that mixed-case letters also make a password harder to type, so don't overdo it.

You can usually use numbers and certain symbols as well as uppercase and lowercase characters in passwords. Adding these elements to your passwords can make them much more difficult to guess. FluFFy_9 is an even better password than FluFFy. Another technique is to take a sentence that's easy to remember and use the first letter of each word to form a password, converting some words to numbers in the process. For example, the sentence "I eat fish for dinner every Friday" can become Ief4deF, a password that is extremely difficult to guess.

A policy that forces users to specify complex passwords like these is not as common as the other features discussed thus far. You can configure both Windows 2000 and Windows NT to require complex passwords, although in the case of Windows NT, you have to install the password filter module (PASSFILT.DLL) yourself. When you enable the Passwords Must Meet Complexity Requirements policy in the Security Policy Setting dialog box shown in Figure 13.5, the passwords that users supply for their accounts must meet the following criteria:

• The password must contain at least six characters.
• The password cannot contain any part of the account's user name. For example, the password for an account with the name abaldwin cannot be abaldwin or contain baldwin, bald, and so forth.
• The password must include three of the following four character types: uppercase letters, lowercase letters, numerals, and symbols.

Figure 13.5  This Security Policy Setting dialog box controls the Passwords Must Meet Complexity Requirements policy

Controlling Password Encryption

Most operating systems store user passwords in encrypted form so that a potential intruder can't discover them by using a disk-editing program to read the contents of the drive on which they are stored. The encryption algorithm used on the passwords in a Windows 2000 system is not reversible by default. However, if necessary, you can enable the Store Password Using Reversible Encryption For All Users In The Domain policy to use an encryption method that can be reversed to recover forgotten passwords.

Setting Account Lockout Policies

Given a sufficient number of guesses, a motivated intruder can figure out any password. This is known as the brute force method. Most operating systems include an account lockout feature that prevents anyone from repeatedly trying to guess the password to a given account. In Windows 2000, there are three policies that control the lockout features, as shown in Figure 13.6.

Figure 13.6  The Account Lockout Policy security settings

The policies that control the lockout features are as follows:

• Account Lockout Duration.  This policy specifies how long (in minutes) accounts should remain locked when the user exceeds the account lockout threshold. Setting the value of this policy to 0 causes accounts to remain locked out until an administrator manually releases them. (To do so, in the Active Directory Users and Computers console, access the user's Properties dialog box. In the Account tab, clear the Account Is Locked Out check box.)
• Account Lockout Threshold.  This policy specifies the number of logon attempts that users are allowed before their account is locked. When the account is locked, no future logon attempts are permitted until the account is reset. Occasional failed logon attempts due to typographic errors, improper case, or forgotten passwords are common, so you should generally permit users at least three tries before locking the account. A value of 0 disables the lockout function.
• Reset Account Lockout Counter After.  This policy causes the failed logon counter to reset after a specified amount of time (in minutes). When a user logs on successfully, the failed logon counter is reset. However, if the user does not log on successfully, the counter that registers the number of failed logon attempts remains in place until it is reset by this policy.

Exercise 1: Password Policies

For each of the characteristics in the left column, specify which of the policies in the right column best applies to it.

Lesson Review

1. Which of the following is not a password characteristic enforced by the Passwords Must Meet Complexity Requirements policy?
   1. Passwords cannot contain all or part of the account's user name.
   2. Passwords must be changed weekly.
   3. Passwords must be at least six characters long.
   4. Passwords must include numerals, symbols, or both.
2. What is the maximum length of an Active Directory password?
   1. 8 characters
   2. 14 characters
   3. 24 characters
   4. 104 characters
3. What does setting the Account Lock Threshold policy prevent intruders from using to penetrate your network security?
   1. Stolen passwords
   2. Illegal software
   3. The brute force method
   4. Unencrypted passwords

Lesson Summary

• For passwords to be an effective means of protecting network resources, users and administrators must select suitable passwords.
• Most network operating systems enable administrators to implement policies that govern how and when users should create new passwords.
• Effective passwords should be at least five or six characters long and use a combination of uppercase and lowercase letters, numbers, and symbols.
• Users should be compelled to change their passwords at regular intervals and should not be allowed to use the same few passwords repeatedly.
• User accounts should be automatically locked out after a specified number of failed logon attempts.