RE: Minimum password requirements

From: Roger A. Grimes (roger_at_banneretcs.com)
Date: 07/18/04

  • Next message: Pete Hunt: "Re: Minimum password requirements"
    Date: Sun, 18 Jul 2004 08:37:17 -0400
    To: "Randall M Gunning" <securityfocus@randygunning.com>, <security-basics@securityfocus.com>
    
    

    Without knowing the value of your data and systems, the below
    recommendations are inline with many people's/company's suggestions.

    I don't see the most important recommendations, however. You need to
    add a minimum length and complexity requirements.

    The inactive account setting of 14 days may be a little too strict.

    Consider disabling accounts as the first measure of inactivity, instead
    of deleting them. Also, consider do you back up the inactive system
    account's files and email before deleting, or do you just delete?

    If you have Windows systems, you should have the password a minimum
    length of 6-8, although many security experts would recommend a minimum
    length of 8 or even possibly 15 (passwords over 15 characters long
    disable LM password hashing).

    Also, use group policy or registry edits to disable LM password hashing
    and force NTLMv2 authentication.

    In Windows, you also need to create a policy for dealing with password
    changes of service accounts. Service account passwords must be changed
    in the Services console and in Active Directory/User Manager.

    Lastly, think about how you will determine inactive accounts. In
    Windows, you need Windows Server 2003 domain controllers and be at
    Windows 2003 domain functional level to be able trust the last logged on
    timestamp.

    Roger

    ************************************************************************
    ***
    *Roger A. Grimes, Banneret Computer Security, Computer Security
    Consultant
    *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
    *email: roger@banneretcs.com
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by
    O'Reilly
    *http://www.oreilly.com/catalog/malmobcode
    *Author of upcoming Honeypots for Windows (Apress)
    ************************************************************************
    ****

    -----Original Message-----
    From: Randall M Gunning [mailto:securityfocus@randygunning.com]
    Sent: Thursday, July 15, 2004 11:27 AM
    To: security-basics@securityfocus.com
    Subject: Minimum password requirements

    I am working on implementing some minimum standards for our department.
    I am wondering what the list thinks of these standards:

    a. Passwords must be changed at least every 90 days.
    b. Passwords cannot be changed for at least 14 days.
    c. Previous passwords cannot be reused (at least the last 10).
    d. User ids and passwords are "owned" by an individual and must not be
    shared with others.
    e. User accounts that have not been accessed (i.e. logged in to) for 30
    days will be deactivated.
    f. Inactive user accounts will be deleted after 14 days.

    The numbers I have used are what I used in the corporate world for
    systems that had no special security requirements (i.e. they did not
    have any confidential data on them). What are other people doing for
    this type of standard, if anything? Also, if you had your choice (not
    subject to a committee agreeing), what would you choose for these items?

    Please let me know if you have any questions.

    Thanks,

    Randy

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors. 
    Attend a course taught by an expert instructor with years of
    in-the-field pen testing experience in our state of the art hacking lab.
    Master the skills of an Ethical Hacker to better assess the security of
    your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Pete Hunt: "Re: Minimum password requirements"

    Relevant Pages

    • Re: windows groups and users
      ... > said i would help setup a win 2003 server for someone but to be honest ... > accounts and he only wants to keep the most esential of accounts. ... all security hotfixes and updates to insure any known exploitable ... Microsoft Windows MVP - Windows Server - Directory Services ...
      (microsoft.public.windows.server.active_directory)
    • Re: I want controll!
      ... Do not use control userpasswords2 to create accounts if you are using XP ... Microsoft Windows XP Home Edition and in Microsoft Windows XP Professional ... implemented for the sake of security and I appreciate the thought. ... you wouldn't expectan OS to automatically load a browser ...
      (microsoft.public.windowsxp.general)
    • Re: insufficient permissions-office diagnostics
      ... If I select the event viewer in the console tree, it shows log files in the ... it shows that the security log is 512 kb. ... access to the Microsoft Windows ... Guest accounts and user accounts with ...
      (microsoft.public.office.misc)
    • Re: different user groups with different security settings and windows environment
      ... Microsoft MVP (Windows Security) ... >> to all accounts. ... >>> Options working with User Groups. ...
      (microsoft.public.security)
    • Re: different user groups with different security settings and windows environment
      ... Microsoft MVP (Windows Security) ... >> to all accounts. ... >>> Options working with User Groups. ...
      (microsoft.public.windowsxp.security_admin)