Home > Sample chapters

Improving the Security of Authentication in an AD DS Domain

Lesson 1: Configuring Password and Lockout Policies

By default in a Windows Server 2008 R2 domain, users are required to change their password every 42 days, and a password must be at least seven characters long and meet complexity requirements, including the use of three of four character types: uppercase, lowercase, numeric, and non-alphanumeric. Three password policies—maximum password age, password length, and password complexity—are among the first policies encountered by administrators and users alike in an Active Directory domain. Rarely do these default settings align precisely with the password security requirements of an organization. Your organization might require passwords to be changed more or less frequently or to be longer. In this lesson, you learn how to implement your enterprise’s password and lockout policies by modifying the Default Domain Policy Group Policy object (GPO).

As you know, there are exceptions to every rule, and you likely have exceptions to your password policies. To enhance the security of your domain, you can enforce more restrictive password requirements for accounts assigned to administrators, for accounts used by services such as Microsoft SQL Server, or for a backup utility. In versions of Windows prior to Windows Server 2008, this was not possible; a single password policy applied to all accounts in the domain. In this lesson, you learn to configure fine-grained password policies, a feature of Windows Server 2008 and Windows Server 2008 R2 that lets you assign different password policies to users and groups in your domain.

Understanding Password Policies

Your domain’s password policy is configured by a GPO scoped to the domain. Within the GPO, in the Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy node, you can configure the policy settings that determine password requirements. The Password Policy node is shown in Figure 8-1.

You can understand the effects of the policies by considering the life cycle of a user password. A user is required to change his or her password within the number of days specified by the Maximum Password Age policy setting. When the user enters a new password, the length of the new password is compared to the number of characters in the Minimum Password Length policy. If the Password Must Meet Complexity Requirements policy is enabled, the password must contain at least three of four character types:

  • Uppercase—for example, A to Z

  • Lowercase—for example, a to z

    Figure 8-1

    Figure 8-1 The Password Policy node of a GPO

  • Numeric—0 to 9

  • Nonalphanumeric—symbols such as !, #, %, or &

If the new password meets the requirements, Active Directory puts the password through a mathematical algorithm that produces a representation of the password called the hash code. The hash code is unique; no two passwords can create the same hash code. The algorithm used to create the hash code is called a one-way function. You cannot put the hash code through a reverse function to derive the password. The fact that it is a hash code, and not the password itself, that is stored in Active Directory helps to increase the security of the user account.

Occasionally, applications require the ability to read a user’s password. This is not possible because, by default, only the hash code is stored in Active Directory. To support such applications, you can enable the Store Passwords Using Reversible Encryption policy. This policy is not enabled by default, but if you enable the policy, user passwords are stored in an encrypted form that can be decrypted by the application. Reversible encryption significantly reduces the security of your domain, so it is disabled by default, and you should strive to eliminate applications that require direct access to passwords.

Additionally, Active Directory can check a cache of the user’s previous hash codes to make sure that the new password is not the same as the user’s previous passwords. The number of previous passwords against which a new password is evaluated is determined by the Enforce Password History policy. By default, Windows maintains the previous 24 hash codes.

If a user is determined to reuse her password when the password expiration period occurs, she could simply change her password 25 times to work around the password history. To prevent that from happening, the Minimum Password Age policy specifies an amount of time that must pass between password changes. By default, it is one day. Therefore, the determined user would have to change her password once a day for 25 days to reuse a password. This type of deterrent is generally successful at discouraging such behavior.

These policy settings—history, minimum age, and maximum age—affect users changing their passwords. The settings do not affect administrators using the Reset Password command to change another user’s password.

Understanding Account Lockout Policies

An intruder can gain access to the resources in your domain by determining a valid user name and password. User names are relatively easy to identify because most organizations create user names from an employee’s email address, initials, combinations of first and last names, or employee IDs. After a user name is known, the intruder might determine the correct password by guessing or by repeatedly logging on with combinations of characters or words until the logon is successful.

This type of attack, called brute force, can be thwarted by limiting the number of incorrect logons allowed. That is exactly what account lockout policies achieve. Account lockout policies are located in the node of the GPO directly below Password Policy. The Account Lockout Policy node is shown in Figure 8-2.

Figure 8-2

Figure 8-2 The Account Lockout Policy node of a GPO

Three settings are related to account lockout. The first of these settings, Account Lockout Threshold, determines the number of invalid logon attempts permitted within a time specified by the second of these settings, Reset Account Lockout Counter After. If an attack results in more unsuccessful logons within that time frame, the user account is locked out. When an account is locked out, Active Directory denies logon to that account, even if the correct password is specified.

An administrator can unlock a locked user account by following the procedure you learned in Chapter 3. You can also configure Active Directory to automatically unlock the account after a delay specified by a third setting, the Account Lockout Duration policy setting.

Configuring the Domain Password and Lockout Policy

Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called Default Domain Policy that is linked to the domain and includes the default policy settings for password, account lockout, and Kerberos policies, shown in Figures 8-1 and 8-2. You can change the settings by editing the Default Domain Policy.

Fine-Grained Password and Lockout Policy

You can also override the domain password and lockout policy by using a feature introduced in Windows Server 2008 called fine-grained password and lockout policy, often shortened to simply fine-grained password policy. Fine-grained password policy enables you to configure a policy that applies to one or more groups or users in your domain.

Figure 8-3

Figure 8-3 Password-related properties of a user account

Fine-grained password policy is a highly anticipated addition to Active Directory. There are several scenarios for which fine-grained password policy can be used to increase the security of your domain. Accounts used by administrators are delegated privileges to modify objects in Active Directory; therefore, if an intruder compromises an administrator’s account, more damage can be done to the domain than could be done with the account of a standard user. For that reason, you should consider implementing stricter password requirements for administrative accounts. For example, you might require greater password length and more frequent password changes.

To use fine-grained password policy, your domain must be at the Windows Server 2008 domain functional level or higher, which means that all of your domain controllers in the domain are running Windows Server 2008 or later and the domain functional level has been raised to Windows Server 2008 or higher. Domain functional level is described in Chapter 12, “Managing Multiple Domains and Forests.”

To confirm and modify the domain functional level:

  1. Open Active Directory Domains And Trusts.

  2. In the console tree, expand Active Directory Domains And Trusts, and then expand the tree until you can see the domain.

  3. Right-click the domain and choose Raise Domain Functional Level.

Other account types that require special treatment in a domain are those used by services and Internet Information Services (IIS) application pools. A service performs its tasks with credentials that must be authenticated with a user name and password just like those of a human user. However, most services are not capable of changing their own password, so administrators configure service accounts with the Password Never Expires option enabled. When an account’s password will not be changed, you should make sure the password is difficult to compromise. You can use fine-grained password policies to specify an extremely long minimum password length and no password expiration. Better yet, you can use a new feature of Windows Server 2008 R2—managed service accounts—for which passwords are automatically changed. Managed service accounts are discussed in Lesson 4 of this chapter.

Understanding Password Settings Objects

The settings managed by fine-grained password policy are identical to those in the Password Policy and Accounts Policy nodes of a GPO. However, fine-grained password policies are not implemented as part of Group Policy, nor are they applied as part of a GPO. Instead, a separate class of object in Active Directory maintains the settings for fine-grained password policy: the password settings object (PSO).

You can manage most Active Directory objects with user-friendly graphical user interface (GUI) tools such as the Active Directory Users And Computers snap-in. You manage PSOs, however, with low-level tools, including Active Directory Service Interface Editor (ADSI Edit).

You can create one or more PSOs in your domain. Each PSO contains a complete set of password and lockout policy settings. A PSO is applied by linking the PSO to one or more global security groups or users. For example, to configure a strict password policy for administrative accounts, create a global security group, add the service user accounts as members, and link a PSO to the group. Applying fine-grained password policies to a group in this manner is more manageable than applying the policies to each individual user account. If you create a new service account, you simply add it to the group and the account becomes managed by the PSO.

PSO Precedence and Resultant PSO

A PSO can be linked to more than one group or user, an individual group or user can have more than one PSO linked to it, and a user can belong to multiple groups. So which fine-grained password and lockout policy settings apply to a user? One and only one PSO determines the password and lockout settings for a user—this PSO is called the resultant PSO. Each PSO has an attribute that determines the precedence of the PSO. The precedence value is any number greater than 0, where the number 1 indicates the highest precedence. If multiple PSOs apply to a user, the PSO with the highest precedence (closest to 1) takes effect. Active Directory exposes the resultant PSO in a user object attribute, msDS-ResultantPSO, so you can readily identify the PSO that will affect a user. PSOs contain all password and lockout settings, so there is no inheritance or merging of settings. The resultant PSO is the authoritative PSO. The rules that determine precedence, and thus the resultant PSO, are as follows:

  • If multiple PSOs apply to groups to which the user belongs, the PSO with the highest precedence wins.

  • If one or more PSOs are linked directly to the user, PSOs linked to groups are ignored, regardless of their precedence. The user-linked PSO with highest precedence wins.

  • If one or more PSOs have the same precedence value, Active Directory must make a choice. It picks the PSO with the lowest globally unique identifier (GUID). GUIDs are like serial numbers for Active Directory objects—no two objects have the same GUID. GUIDs have no particular meaning—they are just identifiers—so picking the PSO with the lowest GUID is, in effect, an arbitrary decision. You should configure PSOs with unique, specific precedence values so that you avoid this scenario.

To view the msDS-ResultantPSO attribute of a user:

  1. Ensure that Advanced Features is enabled on the View menu.

  2. Open the properties of the user account.

  3. On the Attribute Editor tab, click Filter and ensure that Constructed is selected.

    The attribute you locate in the next step is a constructed attribute, meaning that the resultant PSO is not a hard-coded attribute of a user; rather, it is calculated by examining the PSOs linked to a user in real time.

  4. Locate the msDS-ResultantPSO attribute.

PSOs and OUs

PSOs can be linked to global security groups or users. PSOs cannot be linked to organizational units (OUs). If you want to apply password and lockout policies to users in an OU, you must create a global security group that includes all of the users in the OU. This type of group is called a shadow group—its membership shadows, or mimics, the membership of an OU.

Shadow groups are conceptual, not technical objects. You simply create a group and add the users that belong to the OU. If you change the membership of the OU, you must also change the membership of the group.

PRACTICE: Configuring Password and Lockout Policies

In this practice, you use Group Policy to configure the domain-wide password and lockout policies for contoso.com. You then secure administrative accounts by configuring more restrictive, fine-grained password and lockout policies.

EXERCISE 1 Configure the Domain’s Password and Lockout Policies

In this exercise, you modify the Default Domain Policy GPO to implement a password and lockout policy for users in the contoso.com domain.

  1. Log on to SERVER01 as Administrator.

  2. Open Group Policy Management from the Administrative Tools program group.

  3. Expand Forest, Domains, and contoso.com.

  4. Right-click Default Domain Policy underneath the contoso.com domain and choose Edit.

  5. You might be prompted with a reminder that you are changing the settings of a GPO. If so, click OK.

    The Group Policy Management Editor appears.

  6. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy.

  7. Double-click the following policy settings in the console details pane and configure the settings indicated:

    • Maximum Password Age: 90 Days

    • Minimum Password Length: 10 characters

  8. Select Account Lockout Policy in the console tree.

  9. Double-click the Account Lockout Threshold policy setting and configure it for 5 Invalid Logon Attempts. Then click OK.

  10. In the Suggested Value Changes dialog box, click OK.

    The values for Account Lockout Duration and Reset Account Lockout Counter After are automatically set to 30 minutes.

  11. Close the Group Policy Management Editor window.

EXERCISE 2 Create a Password Settings Object

In this exercise, you create a PSO that applies a restrictive, fine-grained password policy to users in the Domain Admins group.

Before you proceed with this exercise, open Active Directory Users And Computers and confirm that the Domain Admins group is in the Users container. If it is not, move it to the Users container.

  1. Open ADSI Edit from the Administrative Tools program group.

  2. Right-click ADSI Edit and choose Connect To.

  3. In the Name box, type contoso.com. Click OK.

  4. Click and then expand contoso.com, and then click DC=contoso,DC=com.

  5. Expand DC=contoso,DC=com and click CN=System.

  6. Expand CN=System and click CN=Password Settings Container.

    All PSOs are created and stored in the Password Settings Container (PSC).

  7. Right-click the PSC, point to New, and then choose Object.

    The Create Object dialog box prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a PSO.

  8. Click Next.

    You are prompted for the value for each attribute of a PSO. The attributes are similar to those found in the GPO you examined in Exercise 1.

  9. Configure each attribute as indicated in the following list. Click Next after each attribute.

    • cn: My Domain Admins PSO. This is the friendly name of the PSO.

    • msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible precedence because its value is the closest to 1.

    • msDS-PasswordReversibleEncryptionEnabled: False. The password is not stored using reversible encryption.

    • msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last 30 passwords.

    • msDS-PasswordComplexityEnabled: True. Password complexity rules are enforced.

    • msDS-MinimumPasswordLength: 15. Passwords must be at least 15 characters long.

    • msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds).

    • MaximumPasswordAge: 45:00:00:00. The password must be changed every 45 days.

    • msDS-LockoutThreshold: 5. Five invalid logons within the time frame specified by msDS-LockoutObservationWindow (the next attribute) will result in account lockout.

    • msDS-LockoutObservationWindow: 0:01:00:00. A given number of invalid logons (specified by the previous attribute) within one hour will result in account lockout.

    • msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will remain locked for one day or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.

    The attributes listed are required. After clicking Next on the msDS-LockoutDuration attribute page, you can configure optional attributes.

  10. Click More Attributes.

  11. In the Select A Property To View list, select msDS-PSOAppliesTo.

  12. In the Edit Attributes box, type the following:

    CN=Domain Admins,CN=Users,DC=contoso,DC=com

  13. Click Add, click OK, and then click Finish.

EXERCISE 3 Identify the Resultant PSO for a User

In this exercise, you identify the PSO that controls the password and lockout policies for an individual user.

  1. Open the Active Directory Users And Computers snap-in.

  2. Click the View menu and make sure that Advanced Features is selected.

  3. Expand the contoso.com domain and click the Users container in the console tree.

  4. Right-click the Administrator account and choose Properties.

  5. On the Attribute Editor tab, click Filter and make sure that Constructed is selected.

    The attribute you will locate in the next step is a constructed attribute, meaning that the resultant PSO is not a hard-coded attribute of a user; rather, it is calculated by examining the PSOs linked to a user in real time.

  6. In the Attributes list, locate msDS-ResultantPSO.

  7. Identify the PSO that affects the user.

The My Domain Admins PSO that you created in Exercise 2, “Create a Password Settings Object,” is the resultant PSO for the Administrator account.


In this exercise, you delete the PSO you created in Exercise 2 so that its settings do not affect you in later exercises.

  1. Repeat steps 1–6 of Exercise 2 to select the Password Settings Container in ADSI Edit.

  2. In the console details pane, select CN=My Domain Admins PSO.

  3. Press Delete.

  4. Click Yes.

Lesson Summary

  • Password policy settings determine when a password can or must be changed and what the requirements of the new password are.

  • Account lockout settings cause Active Directory to lock out a user account if a specified number of invalid logons occurs within a specified period of time. Lockout helps prevent intruders from repeatedly attempting to log on to a user account in an effort to guess the user’s password.

  • A domain can have only one set of password and lockout policies that affect all users in the domain. These policies are defined using Group Policy. You can modify the default settings in the Default Domain Policy GPO to configure the policies for your organization.

  • Windows Server 2008 R2 gives you the option to specify different password and lockout policies for global security groups and users in your domain. Fine-grained password policies are deployed not with Group Policy but with password settings objects.

  • If more than one PSO applies to a user or to groups to which a user belongs, a single PSO, called the resultant PSO, determines the effective password and lockout policies for the user. The PSO with the highest precedence (precedence value closest to 1) prevails. If one or more PSOs are linked directly to the user rather than indirectly to groups, group-linked PSOs are not evaluated to determine the resultant PSO, and the user-linked PSO with the highest precedence prevails.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1, “Configuring Password and Lockout Policies.” The questions are also available on the companion CD if you prefer to review them in electronic form.

  1. You are an administrator at Tailspin Toys. Your Active Directory domain includes an OU called Service Accounts that contains all user accounts. Because you have configured service accounts with passwords that never expire, you want to apply a password policy that requires passwords of at least 40 characters. Which of the following steps should you perform? (Choose all that apply. Each correct answer is part of the solution.)

    1. Set the Minimum Password Length policy in the Default Domain Policy GPO.

    2. Link a PSO to the Service Accounts OU.

    3. Create a group called Service Accounts.

    4. Link a PSO to the Service Accounts group.

    5. Add all service accounts as members of the Service Accounts group.

  2. You want to configure account lockout policy so that a locked account will not be unlocked automatically. Rather, you want to require an administrator to unlock the account. Which configuration change should you make?

    1. Configure the Account Lockout Duration policy setting to 100.

    2. Configure the Account Lockout Duration policy setting to 1.

    3. Configure the Account Lockout Threshold to 0.

    4. Configure the Account Lockout Duration policy setting to 0.

  3. As you evaluate the password settings objects in your domain, you discover a PSO named PSO1 with a precedence value of 1 that is linked to a group named Help Desk. Another PSO, named PSO2, with a precedence value of 99, is linked to a group named Support. Mike Danseglio is a member of both the Help Desk and Support groups. You discover that two other PSOs are linked directly to Mike. PSO3 has a precedence value of 50, and PSO4 has a precedence value of 200. Which PSO is the resultant PSO for Mike?

    1. PSO1

    2. PSO2

    3. PSO3

    4. PSO4