One Size Doesn't Fit All: How Fine-Grained Password Policies Can Help

Jeff Hayslett
| 10/18/2017
One Size Doesn't Fit All: How Fine-Grained Password Policies Can Help

Many information security teams and organizations struggle with increasing the controls around their password settings due to pushback from users. The pushback tends to center around requirements for longer passwords and the frequency of requests for users to change their passwords.

Complaints about the hassles of passwords notwithstanding, the primary objective of information security teams is to keep their networks safe and secure. So which users should be required to remember 14-character passwords? Should standard users have the same password requirements as domain administrators? Is it possible to create different password policies within a domain? To help organizations define different policies for different user groups, Microsoft introduced fine-grained password policies with its release of the Microsoft® Windows Server® 2008 operating system. Fine-grained password policies allow domains to have more than just a single password policy, a limitation present in domains running at a functional level lower than the functional level associated with the Windows Server 2008 operating system.

Thanks to fine-grained password policies, organizations can apply different password policies to different groups and accounts within a domain. For example, a default domain policy might be fine for standard users who have no administrative access anywhere in the network, but should domain administrators or help desk accounts have the same password standards as nonprivileged accounts?

Consider the domain user, help desk, and domain administrator account types and the differences in access and privileges among them. Domain users should have little to no administrative access on the network, except when absolutely necessary to perform job-related tasks. Help desk accounts should have some authority delegations that allow them to perform their duties, such as resetting passwords or accessing the local administrator account on desktops. Domain administrators should have complete access across the network, and because of this level of access, they are the ideal targets for attackers.

The following chart offers examples of three different password policies.

  Policy A Policy B Policy C
Minimum Password Length (characters) 8 12 20
Maximum Password Age (days) 60 45 60
Account Lockout Threshold (attempts) 5 3 3
Account Lockout Duration (minutes) 15 30 30
Reset Account Lockout (minutes) 15 30 30

In a domain not following fine-grained password policies, users would only be able to apply one of the above password policy options. While Password Policy A might be fine for domain users, it might not be acceptable for help desk or domain administrator accounts. Of course, organizations could write policies that state that accounts of different privilege levels should adhere to different standards. However, enforcing those standards becomes another matter that involves administrator follow-up and user buy-in. Password Policy C might seem like a good policy for domain administrator accounts, but domain users might not be happy with its level of complexity. Users forgetting their passwords would also increase the number of password reset queries for the help desk.

With fine-grained password policies, domain administrators can apply all three of these password policies as appropriate. Password Policy A could be applied to domain users’ accounts since, of the three categories, domain users require the least privilege on the network. At the same time, help desk accounts could operate under Password Policy B – a slightly more stringent password policy than Password Policy A because of elevated privilege levels. Lastly, domain administrators could have Password Policy C applied to their accounts. Password Policy C would create an even more strict password policy on accounts that have complete access to the domain. Fine-grained password policies might also be applied to individual accounts in domains that reside in other groups. This selective application can help with users who operate within a default domain policy within a group but who might also need stricter password policies because of some form of elevated privilege.

Setting up fine-grained password policies involves a few steps and requirements.To use these policies, the domain must be running at a minimum functional level of the Windows Server 2008 operating system, and the policies cannot be applied across domains. Microsoft also offers configuration directions for the Microsoft Windows Server 2012 operating system and for the Windows Server 2008 operating system to support domain administrators who want to implement these policies.

By using fine-grained password policies, information security teams and administrators can help strengthen the security of passwords within a domain without increasing the difficulty of the passwords used by standard, nonprivileged users. However, domain administrators should have password requirements befitting their access levels to make it more difficult for attackers to gain access to their accounts.

In a world of evolving cyberthreats, securing network access is of utmost importance. Fine-grained password policies can help get organizations closer to their security goals.

Microsoft and Windows Server are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.