How to review password quality in Active Directory

More applications and devices are using password repositories to check on password reuse. When you log into your iPhone for example, it now alerts you that passwords you saved in your iCloud keychain may have been reused in other places. In January, Microsoft released a new tool in its Edge browser that checks on the status of reused passwords. It will flag and alert you when a password stored in the browser has been exposed in an online breach.

Often in a network environment, you’d like to inform your users of ways they can improve their security. Using a tool to review the quality of passwords in your domain is wise. Specops, for example, has a free Password Auditor tool to review the status of passwords in your Active Directory (AD) environment.

The tool will not make changes to AD but merely read the values of pwdLastSet, userAccountControl and lastLogonTimestamp. It will read all password policies and details about user accounts and their password hashes. You must run Password Auditor as a domain admin to be able to read password hashes and fine-grained password policies. The tool provides reports to show which user accounts have leaked passwords and how password settings in your organization compare with industry standards and best practices. The server or workstation it’s installed on must have .NET 4.7 or higher installed.  

Once you start the tool you have the option to download a copy of the breached password database. Install this tool in a location where you have multiple gigabytes of storage because the file is quite large.

Susan Bradley

The tool then compares your passwords to password databases such as Haveibeenpwnd.com. It will then provide you a list of the passwords that need to be changed. Next, it compares your password policy to that of the best practices. For example, it will compare your policy to that of various best practices.

Review administrator and service account passwords, too

Let’s not let administrators off the hook. Recent ransomware attacks have started with a reused password reportedly left behind by an administrator. Often as projects end and new ones begin, you forget about old passwords and old accounts. As you move from on-premises email to hosted email, you may forget old accounts from applications that you’ve since removed. Review all accounts in your Active Directory that have administrator rights or inherited administrator rights. Even with administrator accounts, ensure that they do not expire, but rather are protected with fobs, biometric, or other two-factor authentication options.

What about service accounts? Specops notes that these too need reviewing. Whenever you hand out domain accounts or use managed service accounts, be aware of the implications of your choices. As they note, “Managed service accounts are typically the most secure of the bunch. They benefit from the strict permissions controls possible through AD, effectively enforcing RBAC, and maintenance automations. This commonly includes password changes and PowerShell scheduled tasks.”

A group-managed service account can be used in tasks tied to a computer. It can be maintained automatically with a complex password and it will manage itself. You will need to ensure your Active Directory schema is at least Windows Server 2008 R2 before using the process. Too often service accounts are set up with a forgotten password or worse yet, mandated by the vendor. Review any service accounts set up in your AD infrastructure and ensure that you review who set them up and how they were set up. Discuss with your vendors if a managed service account is used.

Password best practices

Password best practices vary from source to source. Microsoft’s recommended password policy includes an eight-character minimum length requirement. They also recommend that you eliminate character-composition requirements. When confronted with password complexity requirements, people fall into a few recognizable patterns that password cracking programs exploit.

Recommendations regarding passwords have changed over the years. Microsoft once recommended that 14 characters should be used in your password and that they be changed every 60 days. Now the best practices recommendation is to not change passwords unless they’ve been breached. The UK National Cyber Security Centre recommends that you use password managers as it allows your users to choose more complex passwords that won’t be easily remembered. Also, it’s recommended that you think of three random words when selecting a password.

Section 5.1.1.2 of the NIST guidance on passwords recommend that you do not store a hint that is accessible to an unauthenticated claimant. It’s also not recommended to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets. Too often in social media games are posted as questions for folks to answer. These seemingly random questions are often password reset questions that attackers can then use to reset passwords in accounts. Ensure that your users are aware of these tricks used on the web and they know that these question games should be ignored.

Take the time to review the accounts in Active Directory. Ensure that you don’t have any lingering accounts that could be used against you.