Windows Server 'Longhorn': Granular Password Settings

http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/03/12/windows-server-quot-longhorn-quot-granular-password-settings.aspx

Sun, 16 Mar 2008 20:26:43 GMT

Pingback from msmvps.com/.../windows-server-quot-longhorn-quot-granular-password-settings.aspx

Windows Server 2008 - Fine-Grained Password Policies

Jorge 's Quest For Knowledge! — Thu, 09 Aug 2007 21:20:22 GMT

In previous OSes if you wanted to create multiple password or account lockout policies you basically

Active Directory Domain Services: Fine-grained Password Policies

Kurt Roggen's blog — Wed, 18 Jul 2007 08:00:02 GMT

[This information is based on the Windows Server 2008 June CTP and is subject to change...] Windows Server

Free UI Console for Fine-Grained Password Policies « Dmitry’s PowerBlog

Free UI Console for Fine-Grained Password Policies « Dmitry’s PowerBlog — Tue, 19 Jun 2007 15:55:10 GMT

Pingback from Free UI Console for Fine-Grained Password Policies « Dmitry’s PowerBlog

Manage Fine-Grained Password Policies with PowerShell « Dmitry’s PowerBlog

Manage Fine-Grained Password Policies with PowerShell « Dmitry’s PowerBlog — Mon, 18 Jun 2007 12:20:42 GMT

Pingback from Manage Fine-Grained Password Policies with PowerShell « Dmitry’s PowerBlog

Window Server 2008 » Windows Server 2008: Fine-grained password policies

Window Server 2008 » Windows Server 2008: Fine-grained password policies — Mon, 11 Jun 2007 16:28:33 GMT

Pingback from Window Server 2008 » Windows Server 2008: Fine-grained password policies

4sysops -- Windows Server 2008: Fine-grained password policies

4sysops -- Windows Server 2008: Fine-grained password policies — Thu, 31 May 2007 19:19:38 GMT

Pingback from 4sysops -- Windows Server 2008: Fine-grained password policies

New in Longhorn Server - Active Directory Changes Part 2

Tech Talk Blog — Tue, 08 May 2007 14:21:43 GMT

In this post I continue on from Part 1, examining new functionality in Active Directory coming with Longhorn...

Ziarniste polityki hasel

pkrzysz blog — Sat, 21 Apr 2007 08:40:25 GMT

Ziarniste polityki haseł

Windows Server Code Name "Longhorn" — Thu, 12 Apr 2007 11:01:23 GMT

Od lutowego CTP dostępne są ziarniste polityki haseł - czyli możliwość przypisywania polityk haseł do

Windows Server "Longhorn" - Múltiplas Políticas de Senha

Segurança na Microsoft — Fri, 06 Apr 2007 14:53:47 GMT

Uma limitação conhecida do Active Directory é a de ele suportar somente uma única política de senhas

Last CTP Before Beta 3

Windows Server Division WebLog — Thu, 05 Apr 2007 22:58:49 GMT

Late on Wednesday, as part of our commitment to deliver regular updates of Windows Server "Longhorn"

Windows Server Longhorn – Functional Levels

Jorge 's Quest For Knowledge! — Sun, 18 Mar 2007 21:25:26 GMT

Windows Server Longhorn will support three forest functional levels: Windows 2000 à W2K DCs and higher

re: Windows Server 'Longhorn': Granular Password Settings

Guido Grillenmeier — Sun, 18 Mar 2007 13:42:16 GMT

Nice post Ulf - this comment is similar to what I posted on ActiveDir.org where this feature is also being discussed right now. The discussions often mention the need of a UI to manage it.

I don’t think that administrators will need much of a UI to configure password policy – a useful cli-tool should do, as I don’t see this used for too many different policies in a company. There may be exceptions where companies want to configure extra strong policies for (non-admin) users working with more sensitive data, but I don’t expect more than maybe 3-5 policies in most companies (…keep it simple…)

So while the challenge is not necessarily configuring the policies (even works quite fine with ADSIedit – you only have to get over the time-conversion quirk), it will certainly be understanding the active policy for a specific user, for example when a user calls the helpdesk because he or she has an issue setting a new password… (I can hear them already asking the helpdesk why his 8 char password is not accepted…) How will the helpdesk know which policy applies to the user? What if it’s one that doesn’t have the default domain policy but instead is member of a group that a specific Password Settings Object (PSO) has been applied to?

This info is easy to retrieve, but it’s not available easily in the current UIs - the following two attributes will retrieve the required data:

* ms-DS-PSO-Applied => this is a Backlink attribute of a user or group object (corresponds to the ms-DS-PSO-AppliesTo ForwardLink of the respective PSO object) and returns the DN of all the PSOs that are directly linked with the user or group. Note that multiple policies can be applied to a user or group and you’d need to run a query over the various groups and nested groups to determine all the PSOs that are applied directly and indirectly to a user and then evaluate the one with the highest priority/precedence. You’d first want to check If a policy is applied directly to a user as this always takes precedence over any policy applied via a group.

* ms-DS-Resultant-PSO => this a constructed attribute for users that return the DN of the one resultant password policy that is applied to the user – you do not need to add any additional logic to find the right PSO, as this is what the system has already evaluated in the background.

Both values only return the DN of the respective PSO => the PW related attributes of the PSO still need to be read and displayed appropriately to be helpful to the admin/helpdesk folks. This is where I expect the need for a UI to be more important – administrators and helpdesk folks will need a simple UI to show the Resultant-PSO and its values of a user. There is not much magic involved in this task, but one that simply needs to get done. It may be best to simply add a small VB script to the ADUC context menus of a user object via display-specifiers to show these values.

Note that these attributes are not part of any of the existing permission property sets; by default only members of domain admin group have access to the ms-DS-Resultant-POS attribute and PSO objects – as such this is one more thing to consider when delegating rights for other folks to read (or potentially edit) the password policies.

All in all I believe this is a very powerful feature - even though not all companies will need it. Especially those that try to get rid of the need of user's typing in their own passwords directly: moving to SmartCards will further increase security and won't require multiple PW policies...

cheers,

Guido

re: Windows Server 'Longhorn': Granular Password Settings

Ulf B. Simon-Weidner — Sun, 18 Mar 2007 10:27:28 GMT

Hi Nils,

while you are right that it would be nice to allow additional settings (grade of complexity, dictionary compares,..) I still believe that this is going in the right direction. What we get for now is less domains for password policy reasons, and a more granular way to decide which users should have which settings when it comes to lockouts and length. This is handy to differenciate regular users, admins, service accounts,...

If you want to add additional criteria which is not in Windows today at all, you'll have to stick with custom filters - and the risk for doing this. I think a password campaign in your company serves you better than a technical compare to dictionaries. There are enough interfaces out there which you are unable to influence (websites, 3rd-party apps) so your users should get taught what a good password is. Also creating a custom passflt.dll (IMHO) is a technical risk - it could blue-screen your DC since it's pretty deep in the system. Added features (like dictionaries) might increase the risk of a failure, which might leave your DC in a unstable state.

To answer your question, if you'd still be able to use a custom filter: as far as I know Yes. However if you want the added features described in this post you might need to get a new version of your filters as well, which take these settings into credit.

Ulf

Windows Server Longhorn - Per User Password Policy

Musings, Ramblings, and the Occasional Useful Information — Fri, 16 Mar 2007 16:15:08 GMT

I can't imagine that this will make the front page of People Magazine , but if you are a Network or Security

re: Windows Server 'Longhorn': Granular Password Settings

Nils Kaczenski — Tue, 13 Mar 2007 08:11:47 GMT

What a pity! To me it seems they just added complexity and missed the chance to add security. Why not implement sophisticated filters that check newly created passwords against a more complete set of criteria - such as dictionaries (a simple yet powerful way to avoid trivial and standard passwords) and all-too-simple variations of common passwords? The filtering functions you describe still allow trash passwords like "aaaaa1!" or the like.

So we still have to go for common password filters. I hope at least they did not cut the interfaces to do that.

Somewhat disappointed, Nils

Longhorn and password policy

Tomek's DS World — Mon, 12 Mar 2007 22:31:05 GMT

Ulf (DS MVP) who is now having a lot of fun during MVP summit with other MVPs (I'm really jealous) found

W2K.PL » Blog Archive » Longhorn i zasady hase??

W2K.PL » Blog Archive » Longhorn i zasady hase?? — Mon, 12 Mar 2007 22:17:01 GMT

PingBack from http://www.w2k.pl/longhorn-i-zasady-hasel/