Thursday, December 26, 2013

Fine Grained Password Policies

Purpose of Fine Grained Password Policy (FGPP)

The primary purpose of fine-grained policies is that they can help the administrator apply stricter policies to privileged accounts that deal assets critical to the organizations compared to non-privileged accounts that may not deal with assets critical to the organization.
Since Windows Server 2008, Fine Grained Password Policies (FGPP) have been made it possible that allow u different users in the domain to have different policies.

What are FGPP ?

Fine-grained policies apply only to user objects and global security groups.
Normally the password policy is set for all user at the domain level. This domain level password policy can be viewed by:
1. firing up 'gpedit.msc'
2. select Default Domain Policy [Domain name] -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Password Policy
Once you select the above path the Password Policy (applicable to the domain) will appear in the right hand panel of the GPO Window.

Requirements for FGPP

FGPP was introduced in Windows Server 2008 so in order to use this feature the Domain Controller should be upgraded to Windows Server 2008. i.e. the functional level that supports fine grained policies is the Windows Server 2008. The domain function level to the following:
 1 - Start - >Administrative tools -> Active Directory Users and Computers
 2 - Right clik on the domain server in the left hand panel.
 3 - Select prorperties
You will be presented with the properties of the domain including Function level of the domain controller, make sure the Domain Functional Level is Windows Server 2008.

How to create FGPP's

The Fine-grained policies are stored in the Password Settings Container (PSC) under the System container of the domain.
1 - You will need to fire up Active Directory Services Interface (ADSI) on the domain controller of your domain and connect to your domain.
2 - Once in the domain navigate down to CN=System. Once CN=System has expanded look for CN=Password Setting Container (the PSC). We need to create a new Object in the PSC. Right click CN=PSC and select New.
3 - From the list of objects select 'msDS-Password Settings' object (most probably the only option in the menu), then click 'Next'.
4- The next window mainly asks for a value, this is where you provide a name for the policy. For the sake of this tutorial we will name is 'Grained policy', but it can be anything that makes it disctinct and easy to locate.
5 - Select the precedence you want to apply for this particular object. The precedence will be needed if two policies or more apply to the same object. The lower precedence value wins. The value 10 is acceptable.
6 - The object creation process is wizard based and you can fill in the values according to information given below (source, The Recommended Values and Format for each of the attributes are provided by the author:
  • msDS-PasswordReversibleEncryptionEnabled (self explanatory)
    Recommended Value = False
  • msDS-PasswordHistoryLength (Also self explanatory... you can keep up to 1024)
    Recommended Value = 5
    (domain default: 24)
  • msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
    Recommended Value = True
  • msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)
    Recommended Value = 12
    (domain default(chars): 7)

Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.
To quote from TechNet:
    When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
We will use the d:hh:mm:ss format
  • msDS-MinimumPasswordAge
    (domain default: 1 day = -864000000000)
    Recommened Value: 01:00:00:00 ( 1 day)
  • msDS-MaximumPasswordAge
    (domain default: 42 days = -36288000000000)
    Recommended Value: 45:00:00:00 (45 Days)

 Fill in the following attributes for account lockout settings:
  • msDS-LockoutThreshold
    Value = 0
    (domain default: 0 = don‘t lockout accounts after invalid passwords)
    Recommended Value= 15

  • msDS-LockoutObservationWindow
    Value = -18000000000 (Nine zeroes)
    (domain default: 6 min = -18000000000)
    Recommended Value=00:00:30:00 (Thirty minutes)

  • msDS-LockoutDuration
    Value = -18000000000 (Nine zeroes)
    (domain default: 6 min = -18000000000)
    Recommended Value: 00:02:00:00

7- After entering the value for the last attribute msDS-LockoutDuration we can close the wizard by clicking on 'Finish' and then manually assigning the 'Grained Policy' to a user group by right clicking on the new object and click 'Properties'. Scroll down the 'Attribute Editor' to look for 'msDS-PSOAppliesTo' attribute and click 'Edit'.

8- Click on 'Add Windows Account' and you will be presented with a window similar to the one used to assigned permissions on folders, to select a user or group. Enter the name of the user or group to whom you wish to assign the granual password policy. Once selected the SID of the user or group will appear in the 'value' section of 'msDS-PSOAppliesTo' attribute.
The Fine Grained Password Policy is now in place.

About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services( . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment