Understanding Fine-Grained Password Policies in Active Directory
Explore the intricacies of Fine-Grained Password Policies (FGPP) in Active Directory, covering topics such as domain account policies, policy recovery methods, interpreting pwdProperties attribute, and implementing PSOs for granular password settings. Delve into the nuances of password complexity, history maintenance, lockout thresholds, and more to enhance security configurations effectively.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Fine Grained Password Policies (FGPP) Why you will accidentally lock everyone out Oliver Morton oliverm@sec-1.com @grimhacker
Domain Accounts Policy Consists of Password Policy and Lockout Policy: Net Accounts Minimum Password Age (days) Maximum Password Age (days) Minimum Password Length Length of Password History Maintained Lockout threshold Lockout duration (minutes) Lockout observation window (minutes) Also: Password Stored in Reversible Encryption Password Complexity Enabled
Recovering the Accounts Policy NULL Session / With Credentials Windows API (variety of tools available) Nettynum Dumpsec Rpcclient Enum4linux Nbtenum Net accounts LDAP Ldp.exe
Interpreting the pwdProperites Attribute 32 bit number accessible on the base of the domain after binding with LDAP. DOMAIN_PASSWORD_COMPLEX 1 DOMAIN_PASSWORD_NO_ANON_CHANGE DOMAIN_PASSWORD_NO_CLEAR_CHANGE DOMAIN_LOCKOUT_ADMINS DOMAIN_PASSWORD_STORE_CLEARTEXT 16 DOMAIN_REFUSE_PASSWORD_CHANGE 32 pwdproperties.py
Demo Using ldp.exe and pwdproperties.py
The brand new *cough* 2008 *cough* fine grained password policy! Represented in Password Setting Objects (PSO s) under the System container. Domain Functionality Level must be 2008 or higher, can create before this but will not be enforced. Settings from multiple PSO s cannot be merged. PSO s can be associated to users directly or via a group msDS-PSOAppliesTo holds the list that that PSO applies to. msDS-PSOApplied holds the list of PSO s on a group. Every PSO has a precedence between 1 and 2,147,483,646 stored in msDS- PasswordSettingsPrecedence, lowest wins a conflict. PSO directly applied to a user wins over one applied to a group
PSO Attributes Attribute Description cn The name of the PSO msDS-PasswordSettingsPrecedence The order of precedence of the PSO in the event that multiple PSOs apply to a user msDS-PasswordReversibleEncryptionEnabled Toggles storing the password with reversible encryption msDS-PasswordHistoryLength The number of previous passwords stored in Active Directory msDS-PasswordComplexityEnabled Toggles password complexity checking msDS-MinimumPasswordLength The minimum length of the password msDS-MinimumPasswordAge The minimum interval before the password can be reset msDS-MaximumPasswordAge The maximum age of the password before it must be reset msDS-LockoutThreshold The number of failed login attempts necessary to trigger a lockout msDS-LockoutDuration The number of minutes to lock the account out msDS-LockoutObservationWindow The time window during which the lockout threshold is maintained
Finding the Resultant PSO Use LDAP to find which PSO exist and manually verify which wins. psomgr -effective <username> Active Directory Administration Center (ADAC)
Demo Ldp.exe to show PSOs
Why should I care? Locking out accounts Inefficient dictionary attacks CESG Guidelines for End User Devices Group Policy Value(s) CN=System > CN=Password Settings Container > CN=Granular Password Settings Users Precedence: 2 Enforce minimum password length: 9 characters Password must meet complexity requirements: Enabled Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Users CN=System > CN=Password Settings Container > CN=Granular Password Settings Administrators Precedence: 1 Enforce minimum password length: 14 characters Password must meet complexity requirements: Enabled Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Admins Protect from accidental deletion: Enabled
Questions? Oliver Morton oliverm@sec-1.com @grimhacker