Full Report
Kent Ickler // As a start to a series on Windows Administration in the eyes of a security-conscious “Windows Guy” I invite you on configuring AD DS PSOs (Password Security […] The post How to Increase the Minimum Character Password Length (15+) Policies in Active Directory appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Enforcing Advanced Password Policies Using Active Directory Password Setting Objects (PSOs)
## Overview
These practices address the limitations of native Active Directory Group Policy Objects (GPOs) in enforcing modern, strong password requirements (specifically minimum lengths exceeding 14 characters). The solution provided focuses on implementing Password Setting Objects (PSOs), also known as Fine-Grained Password Policies, available in Windows Server 2008 and enhanced in Windows Server 2012 and later, to apply granular password restrictions to specific users or groups.
## Key Recommendations
### Immediate Actions
1. **Inventory Password Requirements:** Immediately determine if current audit findings (SOX, PCI, HIPAA, etc.) mandate minimum password lengths greater than 14 characters.
2. **Verify PSO Availability:** Ensure your domain controllers are running Windows Server 2008 or later, confirming that Password Setting Objects can be leveraged.
3. **Test PSO Creation:** In a non-production environment, perform a test creation of a PSO specifying a minimum password length greater than 14 characters (e.g., 15 or 20 characters) and assign it to a test user or group.
### Short-term Improvements (1-3 months)
1. **Implement Initial PSO for High-Risk Groups:** Create and deploy PSOs targeting user groups with the highest security requirements (e.g., administrative accounts or compliance-mandated roles) to enforce new, strong password minimum lengths (up to 255 characters).
2. **Enable LM Hash Disablement:** Utilize Group Policy or Registry hacks (`HKLM` changes) in parallel with PSOs to explicitly prevent the use of the deprecated and vulnerable LanMan (LM) Hash for password storage.
3. **Document PSO Deployment Plan:** Create clear documentation outlining which PSOs apply to which groups, noting that PSOs override or supplement standard GPO password settings.
### Long-term Strategy (3+ months)
1. **Establish Hybrid Password Policy Enforcement:** Maintain standard AD GPOs for baseline security requirements while using PSOs exclusively for exceptions or enhanced complexity rules (e.g., longer minimum lengths).
2. **Train Support Staff:** Ensure help desk and Tier 1 administrators are aware that password validation errors stemming from length requirements might be due to a PSO, not the standard GPO, and know how to check for PSO assignment using the Active Directory Administrative Center (ADAC).
3. **Audit PSO Exclusions:** Periodically review which accounts (especially computer accounts and local accounts on workstations/servers) are *not* affected by PSOs, and implement compensating controls (like local registry hacks or custom filters) if necessary.
## Implementation Guidance
### For Small Organizations
- **Utilize ADAC for Simplicity:** Leverage the Active Directory Administrative Center (ADAC) GUI in Windows Server 2012+ to create and assign PSOs, avoiding complex scripting or ADSI editor tools.
- **Target Domain Users Group:** As a starting point, assign the new, stricter PSO to the "Domain Users" group only after thorough testing, ensuring all staff are compliant with the new minimum length.
### For Medium Organizations
- **Group-Based Targeting:** Define specific security groups (e.g., "Finance\_Users", "High\_Privilege\_Admins") and target PSOs exclusively to these groups, allowing standard users to remain on legacy GPO settings temporarily if phasing in changes.
- **Administrator Training:** Roll out specific documentation and training to IT staff regarding troubleshooting password policy failures, emphasizing the need to check the Password Settings Container in ADAC.
### For Large Enterprises
- **Develop Full PSO Catalog:** Create a comprehensive catalog of required password policies mapping security tiers to specific PSO configurations, ensuring clear separation of concerns between GPO baseline and PSO enhancements.
- **Leverage PowerShell/Automation:** While the GUI exists in ADAC, use PowerShell cmdlets for creating, modifying, and auditing numerous PSOs across a large environment to ensure consistency and repeatability.
- **Maintain Coordinated Policies:** Ensure that local security policies on workstations and servers (which are not affected by AD PSOs) are aligned with domain requirements, possibly via targeted local GPOs or centralized management tools.
## Configuration Examples
**Creating a PSO via Active Directory Administrative Center (ADAC):**
1. Navigate to: Control Panel -> System and Security -> Administrative Tools -> Active Directory Administrative Center.
2. In the left pane, navigate to the Domain Name $\rightarrow$ System $\rightarrow$ **Password Settings Container**.
3. Right-click the container $\rightarrow$ New $\rightarrow$ **Password Settings Object**.
4. Configure the required settings, such as:
* **Minimum password length:** Set to a value greater than 14 (e.g., 20).
* **Target:** Assign the policy to a specific User or User Group (e.g., select the security group "StrictPasswordUsers").
5. **Crucial Step:** Ensure the PSO settings are reviewed, as they can enforce extremely long passwords (up to 255 characters).
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** PSOs directly support modern guidance encouraging longer, complex passwords, moving beyond simple character counts.
- **PCI DSS:** Satisfies requirements for complexity and length that often mandate changes beyond default GPO limitations.
- **HIPAA/SOX/CJIS:** Provides the technical mechanism to enforce audit-mandated password length requirements effectively within the Windows domain infrastructure.
## Common Pitfalls to Avoid
- **Forgetting Local Accounts:** PSOs only affect domain user accounts that authenticate against Active Directory. Local user accounts on member servers and workstations will *not* be subject to PSO enforcement.
- **Ignoring Administrator Awareness:** Failing to inform the IT support desk about PSO usage will lead to extended troubleshooting times when users are locked out due to non-compliance with the PSO rule instead of the standard GPO rule.
- **Over-reliance on PSO:** Using PSO to enforce rules that GPO *can* handle can lead to administrative complexity (RSOP reporting is more difficult for PSOs). Only use PSO for capabilities GPO lacks (i.e., $>14$ character minimum length).
- **Exposing LM Hash Vulnerability:** Failing to disable the LM Hash in parallel means a strong password might still be stored insecurely via legacy mechanisms if password changes are not enforced immediately.
## Resources
- Creating a PSO in Windows 2008: (Defanged Link: `https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx`)
- LM Hash Information Overview: (Defanged Link: `https://technet.microsoft.com/en-us/library/hh994558(v=ws.10).aspx`)
- Preventing the use of LanMan Hash Documentation: (Defanged Link: `https://support.microsoft.com/en-us/kb/299656`)