In this guide, you’ll delve into the critical role that domain user passwords play in securing your Active Directory domain. Discover how AD system administrators effectively handle domain password policies through Group Policy Objects and Password Settings Objects. This article will provide step-by-step instructions for configuring or updating the password complexity policy in Active Directory, ensuring robust security practices for your network.

Active Directory Password Complexity

Active Directory (AD) stores information about objects like user accounts, groups, computers, printers etc in a domain. It is crucial to have strong passwords for user accounts in AD for security. By default, AD does not enforce complex passwords. The domain administrator needs to configure password policies to enforce complexity.

Password complexity refers to the use of special characters, numbers, uppercase and lowercase letters to make a password harder to guess. Complex passwords are much harder to crack through brute force attacks.

Default Domain Password Policy Settings

By default, Active Directory enforces the following password policy settings in a domain:

• Minimum password length: 7 characters
• Password history: 24 passwords remembered
• Maximum password age: 42 days
• Minimum password age: 0 days
• Reversible encryption for storage: Disabled

The default password policy does not enforce password complexity in terms of using uppercase, lowercase, numbers and special characters. It only specifies a minimum length of 7 characters (References: [1],[2]).

While a minimum length makes passwords harder to brute force, it is recommended to enhance the password policy and enforce complexity for better security.

Configuring the Active Directory Password Policy

The Active Directory domain password policy settings are configured through Group Policy Objects (GPOs). Specifically, the Default Domain Policy GPO controls the default password policies applied to all users in the domain.

Here are the steps to configure password policies in AD:

1. Open the Group Policy Management console (gpmc.msc)
2. Right click on the Default Domain Policy and click Edit
3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
4. Right pane will show various password policy options:
   • Enforce password history
   • Maximum password age
   • Minimum password age
   • Minimum password length
   • Password must meet complexity requirements
   • Store password using reversible encryption
5. Double click on each policy to modify as per requirements
6. Click Apply and OK

Some best practice password complexity settings are:

• Minimum password length: 8 characters
• Enforce password history: 24 passwords
• Maximum password age: 60 days
• Minimum password age: 1 day
• Password must meet complexity requirements: Enabled
• Store password using reversible encryption: Disabled

These settings enforce 8 character passwords with complexity, prevent password reuse, and require regular password changes. The minimum age prevents frequent cycling through favorite passwords (References: [3], [4]).

Password Complexity Requirements

When “Password must meet complexity requirements” policy is enabled, the following rules apply for new passwords:

• Minimum length of 8 characters
• Cannot contain user’s account name or parts of full name
• Contains characters from three of the following categories:
• English uppercase letters (A through Z)
• English lowercase letters (a through z)
• Base 10 digits (0 through 9)
• Special characters (`, ~, !, @, #, $, %, ^, &, *, (, ), _, +, |, {, }, [, ], :, ;, “, ‘, < , >, ?, / etc.)

This ensures using a mix of character sets and makes passwords very hard to guess or brute force.

Active Directory stores the SHA1 hash of the password, not the actual password. When a user tries to authenticate, the hash of the entered password is computed and compared to the stored hash. If equal, access is granted. This prevents compromised hashes from revealing actual passwords (References: [5], [6]).

Password Settings Container

Fine grained password policies can be applied in Active Directory through Password Settings Objects (PSOs). PSOs are stored in a hidden container called System located under the domain root.

To configure PSOs:

1. Launch Active Directory Users and Computers
2. Enable Advanced Features under View menu
3. Navigate to System container under domain root
4. Right click and select New > Password Settings Object
5. Specify name for PSO e.g. “Finance Users Password Policy”
6. Configure password settings as per policy requirements
7. Right click user/group/OU and link newly created PSO

With PSOs, different user accounts can have different password policies applied (References: [7], [8]).

Avoiding Reversible Encryption

Active Directory can be configured to store password hashes using reversible encryption. This allows decrypting the hashes to reveal actual passwords.

This is a major security risk and should always be avoided. The Store password using reversible encryption policy must always be disabled.

Some legacy applications may require reversible encryption to function properly. It is recommended to update such applications rather than enabling reversible encryption (References: [9], [10]).

Password Expiration Policy

The password expiration policy controls how frequently users must change their passwords. This can be configured through:

• Maximum password age – specifies when users must reset their password
• Minimum password age – specifies how soon user can change password again after a reset

Typical recommendations for enterprise environments:

• Maximum password age: 60 days
• Minimum password age: 1 day

For high security environments like banks, the maximum age can be reduced to 42 or even 21 days. Setting an appropriate password expiration policy prevents password reuse and mitigates risk when passwords are compromised (References: [11], [12]).

Password History

The password history policy remembers a user’s previous passwords up to a specified limit. Users cannot reuse any password in the history.

The recommended setting for password history is 24 passwords. This prevents frequent cycling through favorite passwords.

When password history is enabled, AD tracks password hashes instead of clear text passwords. The hashes are used to check for reuse only (References: [13], [14]).

Importance of Password Length

Increasing password length exponentially grows the number of possible combinations. An 8 character password with upper, lower, number and special characters has approximately 218 trillion possible combinations.

A 7 character password of similar complexity has around 52 billion combinations. Thus, 8 character passwords offer over 4000 times more protection against brute force attacks.

The minimum Active Directory password length should be 8 characters. Increasing it further enhances security. However, requiring very long passwords leads to user frustration and may encourage unsafe practices like note keeping (References: [15], [16]).

Multiple Password Policies in Active Directory

Active Directory allows creating multiple Password Settings Objects (PSOs) with different policies. PSOs can be applied to individual users, groups or OUs through filtering.

For example, a 14 character complex password policy can be applied only for administrative accounts by linking the PSO to the Administrators group.

Multiple password policies allow fine tuning security as per access levels rather than having a single blanket policy for all users (References: [17], [18]).

Role of Password History in Active Directory

Enforcing password history in AD prevents password reuse for a configurable duration. This mitigates risk if a user’s password gets compromised.

Without password history, a user whose password is known to an attacker could keep rotating through a small set of favorite passwords repeatedly. The attacker could exploit this to maintain persistent access even as passwords change.

A password history of 24 passwords significantly increases the difficulty for an attacker gaining repeated unauthorized access in such a scenario (References: [19], [20]).

Necessity of Uppercase and Lowercase in Passwords

Requiring both upper and lowercase letters enhances password complexity. It ensures passwords are not just single case even if meeting minimum length criteria.

With only uppercase or lowercase letters, a password effectively has 26 possibilities per character. Requiring both cases doubles the possibilities to 52 per character.

For an 8 character password, this increases possible combinations from 209 billion to 5.3 trillion.

Thus, enforcing password complexity is not just about length, but also about requiring multiple character sets (References: [21], [22]).

Impact of Frequent Password Changes

Requiring frequent password changes through short maximum password ages can sometimes backfire. Users might resort to minor variations of the same password to cope.

Research shows frequent password resets with a low minimum age may degrade security over time. A user forced to change their password often is likely to choose predictable and easy to guess passwords.

The recommended approach is to have moderate password expiration periods like 60 days along with strong complexity requirements. This provides a balance between security and usability (References: [23], [24]).

Importance of Configuring Password Complexity

Complex passwords are a first line of defense against unauthorized access via password guessing, brute force attacks and password leaks.

Active Directory’s default settings do not enforce complexity. The importance of configuring custom password policies with strong complexity requirements cannot be overstated.

Complex passwords significantly raise the difficulty for malicious actors to gain access to AD accounts and assets in the domain (References: [25], [26]).

Changing Default Domain Password Policy

The default domain policy applies to all users in AD. Changing the default settings enhances security for the entire organization in one go.

Best practice is to modify the default policy to require 8+ character passwords with multiple character sets. Appropriate password age controls should also be implemented.

This serves as a strong baseline across the domain. More stringent policies can be applied to sensitive accounts via fine-grained policies and PSOs.

Updating the default domain policy to require strong passwords is one of the most impactful Active Directory hardening measures (References: [27], [28]).

Minimum Password Length Security

Increasing minimum password length forces greater complexity. Psychologically, 8 character passwords offer adequate security for most users.

Setting higher minimum lengths leads to bad user habits like note keeping, password reuse or predictable sequences that reduce real security. There are diminishing returns beyond 10-12 characters for general users.

For elevated privilege accounts like administrators, a 12-15 character minimum can be justified and supported through stricter education and enforcement programs (References: [29], [30]).

Multiple Password Policies in Active Directory

Having a single password policy for all users results in one of two scenarios:

1. Overly strict – Frustrates general users, reduces productivity
2. Overly lenient – Insufficient for privileged accounts

Creating multiple policies via PSOs allows stratifying requirements as per access levels. Admin accounts can have 15+ character passwords while general staff may follow a simpler 8 character policy.

Flexible password policies are crucial for balancing security and usability in large Active Directory environments. One policy does not fit all account types (References: [31], [32]).

Password Settings Object Role

Password Settings Objects (PSOs) allow creating granular password policies in Active Directory and linking them to specific users and groups.

Without PSOs, only a single password policy can be applied across a domain. PSOs enable implementing stricter policies exclusively for sensitive accounts like Administrators.

PSOs are essential for fulfilling the principle of least privilege in AD. They prevent overly stringent domain-wide policies that impede general users (References: [33], [34]).

Avoiding Reversible Password Encryption

Storing password hashes using reversible encryption undermines the very purpose of hashing. Hashes are meant to be one way cryptographic representations of passwords.

If AD is configured to use reversible encryption, password hashes can be decrypted to reveal the actual passwords. This is a catastrophic security risk.

The reversible encryption setting must always be disabled in Active Directory domains. Legacy systems requiring it should be updated to maintain the security of credentials (References: [35], [36]).

Recommended Password Expiration Settings

Balancing security and usability is key for an Active Directory password policy. Frequent forced password changes frustrate users and reduce security over time.

A maximum age of 60 days along with a minimum age of 1 day provides a reasonable expiration cadence.

Shorter maximum ages of 45-60 days are appropriate for high security environments. The goal is to find the right frequency that works for the organization’s culture (References: [37], [38]).

Securing Active Directory Passwords with History

The password history setting determines how frequently old passwords can be reused by users. Forcing users to choose passwords not in their history significantly improves security.

If a user’s password gets compromised, the attacker cannot indefinitely keep accessing the account by cycling through old passwords. A 24 password history provides a strong balance of usability and security for most organizations (References: [39], [40]).

Necessity of Password Complexity Requirements

Length and expiration policies alone are insufficient for true password complexity. Active Directory must be configured to specifically require uppercase, lowercase, numbers and special characters.

Without explicitly requiring multiple character sets, users may still choose predictable passwords that only meet length and age criteria.

The complexity requirement provides depth to a password policy by enforcing different password building blocks (References: [41], [42]).

Impact of Frequent Active Directory Password Changes

Password rotation is a useful security practice. However, excessive frequency like requiring changes every 30 days actually reduces security over time.

Users start employing predictable patterns to cope with frequent changes. Passwords end up relating to previous ones. This data can help attackers determine new passwords.

60-90 day password expirations balanced with strong complexity requirements provide the ideal security cadence for Active Directory (References: [43], [44]).

Wrapping Up

Active Directory domain security largely relies on the strength of user account passwords. The default password policy does not enforce true complexity.

Configuring custom password policies is crucial. An 8 character minimum with compulsory mix of upper, lower, number and special characters provides robust defense against guessing and brute force attacks.

Password expiration settings around 60 days maximize security while maintaining usability. Password history prevents cyclic password reuse even in the event of compromise.

Fine grained PSO policies allow implementing differentiated policies for elevated privilege accounts like administrators to balance security and user experience.

Strong password policies serve as the frontline for securing Active Directory. Domain controllers provide centralized authentication based on credentials. Compromised passwords undermine all layers of AD security.

Regular reviews of password settings and user education on constructing strong passwords is essential for securing the keys to the kingdom in Active Directory environments.