- Powershell Password Security Best Practices Software
- Password Best Practices Microsoft
- Powershell Script Security Best Practices
Password change and password reset are terms that are often used interchangeably. However, they are not the same. A user will perform a password change when they remember their existing password, and a password reset when they have forgotten it.
PowerShell Security Best Practices. Given that PowerShell cannot be disabled or removed from organizations that require it, the following actions are the recommended best practices to use PowerShell efficiently while preventing its use as an attack vector. Back in September 2017, I outlined some of the main themes surrounding PowerShell security. Understand the architecture of Powershell Deploy Powershell operational security Analyze PowerShell Auditing and Logging Enhance server management with Desired State Configuration and Just Enough Administration. Analyze and debug scripts Understand Powershell based exploits and their remediation. (And if you want to use PowerShell to script the management of KeePass itself, here are sample functions for that, plus a list of KeePass security best practices too.) What Is KeePass? KeePass is a free, open source password manager utility for Windows, Linux, Mac OS X, Android, iPhone, Blackberry, and other platforms.
The two use cases are inherently tied to an organization's domain password policy which traditionally encompass password complexity, length, and change frequency requirements. With a sound policy in place, users will need to follow the composition requirements when changing or resetting their passwords.
But, what makes a password policy secure? There isn't a shortage of regulatory and standard bodies that have weighed on this very topic. This article looks at what can be achieved using the native Active Directory (AD) Group Policy settings, including key capabilities that increase password security while balancing the user experience.
Active Directory password expiration
Password Expiration can be configured using the Maximum Password Age setting within the Default Domain Policy in the Group Policy Management Console. The setting is applied to all domain computers and users.
Maximum password age dictates the amount of days a password can be used before the user is forced to change it. The default value is 42 days but IT admins can adjust it, or set it to never expire, by setting the number of days to 0.
Windows password policy settings
Other Windows password policy settings include:
- Enforce password history determines the number of old/previously used passwords stored in AD to prevent users from using a previously used password. The default and maximum value is set to the previous 24 passwords.
- Minimum password age dictates how often a user can change their password following a password change. This prevents a user from reverting to a previously used password, circumventing the password history rule; by changing it 24 times in a row for example. The default value is set to 1 day.
- Minimum password length enforces the character length of the password.
- Password must meet complexity requirements utilized to ensure that the password cannot contain the user's account name or display/full name, and must include three of the five-character types: upper-case letter, lower-case letters, numbers, special characters and Unicode.
- Store passwords using reversible encryption allows passwords to be stored in AD almost in plain-text, which is highly insecure, but sometimes needed to grant password access to certain applications.
These settings are meant to increase password security but can have a negative effect on end users. Complex passwords result in forgotten passwords as such anytime password complexity is introduced there will be an uptick in helpdesk password reset calls. According to Gartner research firm these can account for 30-40% of support costs.
To deflect password reset calls from the helpdesk, it is recommended that organizations implement passphrases which are outside of the scope of Active Directory. Passphrases are long passwords made up of unrelated words which are harder to crack but easier for users to remember. In fact, the National Institute of Standards and Technology (NIST) recommends using them with their 64-character maximum length requirement, however they do advise to eliminate password expiration as it can lead to users making poor password construction decisions.
Eliminating password expiry can leave an organization exposed indefinitely if an attacker has gotten hold of a user's account. A better approach is to utilize length-based password aging. This combined with passphrases can ensure that users are incentivized to create longer stronger passwords by rewarding them with less frequent changes. Forced password changes are always going to cause users some disruption but the aforementioned features can alleviate some of the frustration. Another important consideration is to ensure that password rules are displayed dynamically to users as they are changing their passwords. If there is too much guess work involved users will revert to calling the helpdesk.
Active Directory password reset
Even with user-oriented features as noted in the section above, password reset calls to the helpdesk will still occur. Active Directory password resets are most commonly performed by using Active Directory Users and Computers. With just a few clicks a user's password can be reset. This can be accomplished using other methods; the Active Administrator Center user interface or PowerShell are two examples.
A current gap within organizations is user identity verification – most rely on insecure methods, such as employee ID or security questions. In fact, password reset user verification is not mentioned in recommendations set forth by industry, or regulatory bodies, although it is a highly exploited attack vector. This is where proactive steps are necessary.
Given that password reset calls to the service desk take a significant percentage of the support call load in order to this cost and maximize security, organizations must look to a self-service password reset solution. The solution should support secure user verification methods, that go beyond security questions, although widely utilized answers to questions are cumbersome for users to recall. Security questions are also recognized as an insecure form of authentication due to social engineering. More secure forms of authentication should be considered especially ones that are already in use to eliminate the need for users to have to enroll in the system while extending the ROI of existing assets.
Active Directory password reset and change best practices
Ultimately, there isn't a one-size fits all approach. IT departments need to balance the user experience while maximizing security. When setting a secure password policy, consider following these password change/password reset best practices:
- Turn on password expiration with length-based password aging to promote secure password construction behavior while reducing risk.
- Secure all password reset scenarios at the helpdesk and self-service with more secure forms of authentication.
- Display password rules dynamically to users changing or resetting their passwords. Frustrated users will contact the helpdesk.
You can start balancing the scale today with Specops uReset, a self-service password reset solution facilitating Active Directory password resets and changes. Through a graphic password policy rule display, the solution reduces errors and guess-work for end-users. Its robust multi-factor authentication engine includes various forms of user-verification that can extend authentication security to the helpdesk.
- Related Questions & Answers
- Selected Reading
Powershell Password Security Best Practices Software
Windows password policy settings
Other Windows password policy settings include:
- Enforce password history determines the number of old/previously used passwords stored in AD to prevent users from using a previously used password. The default and maximum value is set to the previous 24 passwords.
- Minimum password age dictates how often a user can change their password following a password change. This prevents a user from reverting to a previously used password, circumventing the password history rule; by changing it 24 times in a row for example. The default value is set to 1 day.
- Minimum password length enforces the character length of the password.
- Password must meet complexity requirements utilized to ensure that the password cannot contain the user's account name or display/full name, and must include three of the five-character types: upper-case letter, lower-case letters, numbers, special characters and Unicode.
- Store passwords using reversible encryption allows passwords to be stored in AD almost in plain-text, which is highly insecure, but sometimes needed to grant password access to certain applications.
These settings are meant to increase password security but can have a negative effect on end users. Complex passwords result in forgotten passwords as such anytime password complexity is introduced there will be an uptick in helpdesk password reset calls. According to Gartner research firm these can account for 30-40% of support costs.
To deflect password reset calls from the helpdesk, it is recommended that organizations implement passphrases which are outside of the scope of Active Directory. Passphrases are long passwords made up of unrelated words which are harder to crack but easier for users to remember. In fact, the National Institute of Standards and Technology (NIST) recommends using them with their 64-character maximum length requirement, however they do advise to eliminate password expiration as it can lead to users making poor password construction decisions.
Eliminating password expiry can leave an organization exposed indefinitely if an attacker has gotten hold of a user's account. A better approach is to utilize length-based password aging. This combined with passphrases can ensure that users are incentivized to create longer stronger passwords by rewarding them with less frequent changes. Forced password changes are always going to cause users some disruption but the aforementioned features can alleviate some of the frustration. Another important consideration is to ensure that password rules are displayed dynamically to users as they are changing their passwords. If there is too much guess work involved users will revert to calling the helpdesk.
Active Directory password reset
Even with user-oriented features as noted in the section above, password reset calls to the helpdesk will still occur. Active Directory password resets are most commonly performed by using Active Directory Users and Computers. With just a few clicks a user's password can be reset. This can be accomplished using other methods; the Active Administrator Center user interface or PowerShell are two examples.
A current gap within organizations is user identity verification – most rely on insecure methods, such as employee ID or security questions. In fact, password reset user verification is not mentioned in recommendations set forth by industry, or regulatory bodies, although it is a highly exploited attack vector. This is where proactive steps are necessary.
Given that password reset calls to the service desk take a significant percentage of the support call load in order to this cost and maximize security, organizations must look to a self-service password reset solution. The solution should support secure user verification methods, that go beyond security questions, although widely utilized answers to questions are cumbersome for users to recall. Security questions are also recognized as an insecure form of authentication due to social engineering. More secure forms of authentication should be considered especially ones that are already in use to eliminate the need for users to have to enroll in the system while extending the ROI of existing assets.
Active Directory password reset and change best practices
Ultimately, there isn't a one-size fits all approach. IT departments need to balance the user experience while maximizing security. When setting a secure password policy, consider following these password change/password reset best practices:
- Turn on password expiration with length-based password aging to promote secure password construction behavior while reducing risk.
- Secure all password reset scenarios at the helpdesk and self-service with more secure forms of authentication.
- Display password rules dynamically to users changing or resetting their passwords. Frustrated users will contact the helpdesk.
You can start balancing the scale today with Specops uReset, a self-service password reset solution facilitating Active Directory password resets and changes. Through a graphic password policy rule display, the solution reduces errors and guess-work for end-users. Its robust multi-factor authentication engine includes various forms of user-verification that can extend authentication security to the helpdesk.
- Related Questions & Answers
- Selected Reading
Powershell Password Security Best Practices Software
Many times we need to use passwords in PowerShell and need to pass it to the credential parameter and a password should be always a secure string, not a plain text. There are few methods to encrypt the password as mentioned below.
a) Get-Credential Format
We have one method where we can store the username and password is through cmdlet Get-Credential. It will provide a GUI prompt. You can store this password into a variable and use it later in the command.
Credentials are stored into $cred variable. Here is the value of the variable. output below.
You can see the password is stored in the secure string. You can use the above variable with the credential parameter that cmdlet supports.
For example,
You can see how this password looks in encrypted form and for that, you need to use ConvertFrom-SecureString command.
b) Secure String Format
Another method to get the password in the secure string is to use the Read-Host command with –AsSecureString parameter.
You can use this password directly in the cmdlets that support the Credential parameter by creating a new PSCredential object as shown in the below example.
When you check this password variable, it is also in the Secure.String format and again you can retrieve the encrypted password with ConvertFrom-SecureString pipeline command.
Once your password string is secured, you can use directly it for the password. You don't need to get the encrypted password with ConvertFrom-SecureString. It is just to see the password secure string.
c) Clear text format
What if the password is in the clear text format, you can use the clear text password directly in the command which supports the Password parameter but the below method is not recommended as it is in the clear text format and it can cause a major security breach. See the example below.
You can convert the clear text password into a secure string format. This is useful when you have a password text file placed in a secure location and PowerShell need to use the password without cleartext. The process is shown below.
Now our password is secured and we can use it as a password in our credential. Here, we are connecting vCenter server named TestvCenter.lab with $cred parameter.
You can see the encrypted password with the method below. It is in the text encoded format, not the original password.
If you need to store this password in the file then you can use the above command.
But when you are retrieving back your password, you need to convert again to the Secure string format because the credential parameter only accepts the secure strings.
Password Best Practices Microsoft
Powershell Script Security Best Practices
You can use this password in the credential parameter of the supported cmdlets.