Outdated Password Policy

Now is the time to talk about the skeletons in everyone's closet that every administrator has had on their mind for years, but – for whatever reason – failed to implement. To begin: password policy.

The whole world is talking about two-factor authentication (2FA) and passwordless authentication and is horrified to find that the enterprise still allows the use of six- or eight-digit passwords without complexity rules. The 2003 rulebook from the National Institute of Science and Technology (NIST) was a good idea but has proven to be a mistake over time. Permanent changes to passwords have forced users to add a counter or append the month as a number. All security experts (and even the GPO templates) now agree on the length of a good password. It should be at least 14 characters – more is better.

The BSI has responded to this realization and now says that a password change is no longer necessary if it is a long, complex password that has not yet been compromised. This development is interesting because it means that admins need to check the password quality of their user accounts regularly.

A very good tool for this purpose is provided by DSInternals [14]. Its PowerShell cmdlets let you integrate to an offline "Have I Been Pawnd" database (Figure 3), which means storing a text file of about 30GB on the system that contains most of the currently known password hashes that have already been compromised by attackers. The DSInternals cmdlets now check whether the password hashes appear in the database in your own AD.

Figure 3: Websites deliver statistics on how often a password has been compromised by attackers; these are important facts to drive password changes in the enterprise.

If you combine DSInternals cmdlets with the PwnedPass-Check PowerShell module [15], you can efficiently determine how often a password has already appeared in various databases. Armed with this knowledge, you can evaluate how urgent the need is to change the password. A password that occurs only 25 times in a database is certainly not one of the first to be used in an attack, unlike a password that appears 46,000 times (e.g., secret ).

Fewer Rights for Admins

Reducing administrator authorizations is one of the easiest tasks to implement with group policy. The organizational aspects are the problem, starting with the local administrators of a client or member server and ending with the number of domain admins in the enterprise. Only in the rarest of cases will you have a clear overview of who has to manage which systems and who needs administrative authorizations for the system.

If you look at it, everyone knows this is one of the biggest problems in any organization and that some people absolutely need to be removed from specific groups. Unfortunately, especially in small to mid-size enterprises (SMEs), the potential for political pressure is high if a veteran colleague insists on keeping their authorizations. Many people feel that something is being taken away from them, when in fact it is no more than self-protection.

Defender Firewall vs. GPOs

Microsoft's Defender firewall is still disabled in many companies. Although various group policies and processes are used to prevent an attack propagating on the network, if credentials such as a local admin account are compromised, an attacker can log in to any machine in the organization because the password is often identical on every machine.

With Defender, you can block access from the network to a computer when assigning user authorizations for any local account. When WannaCry attacked the client via the SMBv1 protocol, Microsoft delivered patches, whereas the far easier way would have been to disable SMBv1, if there were no dependencies on it. The PetitPotam attack became active again in April 2022 with a new New Technology LAN Manager (NTLM) attack vector, and PrintNightmare attacked systems by way of the print queue, which is required by every machine that needs to print.

The administrator is quite helpless. With the multitude of attack options, they need a solution for every single attack. It would be far easier to prevent incoming communication from a client. If the door is closed (i.e., the firewall is enabled), the client terminates the contact as soon as it registers a communication attempt. The network needs segmentation, allowing for machines that can access the system for administrative tasks; this alone could help avoid mass risk and potential wildfire spread. The technology has existed since Windows XP SP2 – now it's time to use it.