2. Roadmap
Windows Password Policy Tour
The problems
The user experience
The nFront Password Filter solution
3. Windows Password Policy Tour
Let’s tour the options available with the
Windows Password Policy.
Keep in mind the one policy applies to all
users and multiple policies are not
possible**
**If all DCs are 2008 or 2012 you can do fine grained policies.
The rules are the same (not granular) but you can apply
different rules to different OUs.
4. Windows Tour – Min Length
Require a minimum length.
Longer passwords are more difficult to hack.
Ideally 15 characters or more is best due to
Rainbow Tables.
5. Windows Tour – Max Age
Have the user change their password on a
regular basis.
The idea is to change the password before
the hacker has enough time to guess / crack
the password.
6. Windows Tour – Password History
Without keeping a password history, the user
can set their new password to the old
password.
Keeping a history with Windows only stops new
passwords that exactly match the old ones, not
variations (like incrementing a number on the
end).
7. Windows Tour – Min Age
Some users like their old password.
In 5 minutes, they will go through the 13
password changes to get “back” to the one
they had yesterday.
Minimum password age forces them to keep
their first password change for a minimum
amount of time.
8. Windows Tour – Password Complexity
The password must contain 3 of 4 character sets
(a-z, A-Z, 0-9, special) and the password cannot
contain the username or part of the full name.
9. Complexity allows weak passwords
Even with the password complexity requirement enabled,
the standard Windows Password Policy still allows weak
passwords:
Password123 Company2015 January1
P@ssw0rd LetMeIn2015 Photoshop1
10. Windows Tour – Reversible Encryption
No one knows what it is or where it is documented
but they know it is not a good idea.
Encryption can be reversed, hashes cannot.
Passwords should be stored as “salted” hashes
that are not reversible. Windows does not salt,
but at least hashes the passwords.
13. The Problems
Weak passwords are allowed and are an easy target
for hackers, malware, viruses, spear phishing, etc.
The one size fits all policy forces large organizations
to dumb down their password policy. The bigger the
company, the easier to hack.
The user is not given the requirements needed during
password creation causing frustration and confusion.
The Windows policy does not meet the specific
requirements of PCI or NERC compliance.
Users can easily increment passwords with a number.
15. What is nFront Password Filter
nFront Password Filter is a password policy
enforcement solution that provides multiple,
granular password policies for Windows domains.
The standard Windows password policy cannot
meet most industry compliance requirements.
Without nFront Password Filter your network likely allows
weak passwords that are an easy target for hackers and
malware.
16. nFront Password Filter Features
Policies are granular with over 40 rules per policy
and rules to meet all compliance requirements.
Up to 6 different granular password policies in one
Windows Domain
A dictionary option to prevent millions of common
passwords is less than one second
One checkbox to meet password specific
compliance requirements
An optional client to clearly show the password
rules and an improved failure message
17. Easy to implement and configure
Install and configure in less than 5 minutes.
Centrally managed via Group Policy.
No reboots needed for patches or upgrades.
18. nFront Password Filter Benefits
Better Passwords = Better Security
No more weak, easily hacked passwords on the
network.
A proactive solution instead of a reactive one.
Eliminate or simplify compliance paperwork.
Pass security audits
No more dumbing down your password policy.
You can use more restrictive policies for more
privileged users.
19. Multiple Policies
Create up to 6 different password policies with each
policy targeting one or more security groups or OUs.
21. Prevent Common Passwords
The dictionary substring search can efficiently
check to see if the password contains millions of
common passwords in less than one second.
The client failure message can show the exact
dictionary word that is disallowed.
22. One Step Compliance
nFront Password Filter provides features
that Windows cannot - such as one
step PCI Compliance.
23. nFront User Experience – Windows 7
Password rules are displayed during the password
change process. An optional strength meter can be
displayed.
24. nFront User Experience – Win7
A much better error message is given. It evens
includes the dictionary word if dictionary
checking is enforced.
25. nFront User Experience – Windows XP
Password rules are displayed during the password
change process. An optional strength meter and
clearer error message can be displayed.
26. nFront Web Password Change
nFront Web Password Change is an application
for IIS that provides a password change portal
that is “nFront” aware.
Eliminates the need to deploy optional
software client to workstations.
Can be integrated with existing intranet.
27. nFront Web Password Change
nFront Web Password Change is an application for IIS
that provides a password change portal that is “nFront”
aware.
Eliminates the need to deploy optional software
client to workstations.
Can be integrated with existing intranet.
Can be branded with your corporate logo and other
customizations.
28. nFront Web Password Change Experience
Upon typing a username the password requirements
are displayed.
29. nFront Web Password Change Experience
When an unacceptable password is submitted a
detailed error is returned in orange above the rules.
31. It costs too much
So you can spend $$$$ on an expensive web
application firewall but still allow internal and
external users to have passwords like
Password123
Really?
32. Users will write down passwords
Some users will write down there passwords.
We understand.
*A shock collar can help with this
When the weak password that was not written
down gives external hackers and malware
access to your customer data you may want to
reconsider.
*may not be HR approved
33. We have a strong written password policy
A strong written password policy is a great idea.
Chances are Windows alone cannot enforce it.
Unless you force the users to meet the
requirements, you likely have a lot of passwords
in use that do not meet the written
requirements.
34. We run password crackers periodically
Self-diagnostics are great
but why do you want to
ALLOW WEAK PASSWORDS ON THE NETWORK
for weeks or months
and
MANUALLY RUN A PASSWORD CRACKER
when
You can automate the process and prevent the
bad passwords.