St at e of IT Changes Survey Result s + Infographic Tips for a Bet t er Passw ord Securit y Policy Dat a Governance: The Key t o Com pliance Basic Rules How -t o: Ways t o a Bet t er Det ect ing Passw ord Changes in Act ive oPf aWsisnwdoowrds Server Direct ory SMecaunriatygem ent Contents Nine St eps t o a Bet t er Passw ord Managem ent 3 by Richard Muniz Why You Need t o Ensure Adm inist rat ors 5 Change Passw ords Regularly by Orin Thomas How t o St ore and Ret rieve Passw ords Securely 7 w it h Pow erShell by Adam Bertram 3 Ways t o Prot ect t he Keys t o Your Kingdom - 11 Dom ain Adm inist rat or Credent ials by Russell Smith June 2015 SysAdmin Magazine St at e of IT Changes Survey 2015: 13 Docum ent ing and Audit ing Dat a Governanm e: The Key t o Com pliance 16 by Deb Shinder Internet Usage Policy against Inappropriate 18 Content by Richard Muniz How to Detect Password Changes 20 in Active Directory June 2015 SysAdmin Magazine Nine Steps to a Better Passw ord Managem ent by Richard Muniz 20+ years in IT industry, a practicing systems administrator and a teacher Passwords remind me a bit of the Coyote. Not Monde and right on the background, taped to the one that chases the Road Runner, but the the wall, is a list of passwords (and you thought one that lives in my native South-West and howls you had it rough with people taping them under at the moon. No matter how hard humans have their keyboard). And after years and years, the tried to get rid of it, it hangs in there, and in most most popular password out there is still cases, even manages to gain ground back. Why ?Password?. do I compare passwords to the Coyote? For years We can try and try: by GPO implementation and now they?ve been saying it was heading for talking to people. But all we end up with is the extinction and here we are, years later, it?s still realization that we might be able to build a fool hanging in there. Somehow, I suspect they?ll be proof system, but we can?t build a damn-fool with us for a long time to come. And as long as proof system. And we?ll still see people making we still have them out there, people will continue passwords that match someone?s birthday or to abuse them. address and taping them in a place for the world I suppose I don?t need to point to much further to see. than a video floating around the Internet of an Why? People are weak. We have so many employee being interviewed on French TV5 passwords, that keeping track of them is difficult. 3 June 2015 SysAdmin Magazine We write them down, and we paste them under 3. Recording of usernames and passwords for the keyboard, and we continue to be our own worst enemy. certain sites How do we fix it? Well, the answer is in this little A nice feature, and possibly one that can bite story. Years ago I encountered a very dynamic you, but one that might endear itself to your preacher, and we got to talking. I asked him how users. it was that people changed, and he rocked back a bit, narrowed his eyes, and said, ?Son, if you want 4. Storing certain kinds of passwords to take an old bone away from a dog without Some will only play nice with Active Directory, getting bit, you?d better offer him a steak in its some will let you record almost anything into place.? them. We want to take their piece of paper away and have them play nice. Problem is that unless we 5. Reminding questions give them a secure tools to keep the passwords, Everyone forgets things, and we still need they?ll continue to use their post-it notes, and something to allow them access the vault in case keep putting them under their keyboards. they forget, or at least reset the password, or Strangely, there are tons of password give them a reminder. management tools there that will help us. We call them password managers and a simple internet 6. Password generators search will give you at least a dozen, just on the For users, it?s a waste. For service accounts . first try. Some cost money, others are free. Some Priceless. are meant for a single user on one system; others are network based and can serve 7. Dual authentication hundreds of users. Some you might already have A card token and a password ? great. A password and not even know it (a lot of cloud services and a question ? slightly better than useless. provide this as part of service). 8. Self-securing What do you look for in a password manager? While I?m sure these folks always double check 1. Supported platforms their house door when they leave in the It can be the best manager in the world, but if it morning, they won?t hesitate to leave a site open. only runs on Linux and you?re a Windows house, Since this has everything and then some, we it isn?t going to do you much good. Also, how you might want it to close after a certain amount of access it is important. Is it compatible with IE and time. Firefox, or does it just work with Chrome? 9. Managable 2. Storage capability Letting folks choose their own tools is OK, but then you end up supporting something you The idea behind a password vault is to provide might know nothing about. An enterprise-based your users with a nice, encrypted site to stash managing tool is best, and it also levels the their passwords away in. But it?s also a great playing field for everyone. place to put important documents, notes, and so forth. I know some folks who keep scans of their Want to read more articles like this? social security cards and passports. While it?s not Subscribe to our blog: a substitute for full disk encryption, it is better blog.netwrix.com than just leaving them out in the open. 4 June 2015 SysAdmin Magazine Why You Need to Ensure Administrators Change Passw ords Regularly by Orin Thomas 20+ years in IT industry; MVP, MCT and other Microsoft MCSE and MCITP certifications. Authored 30+ books for Microsoft Press and is a contributing editor at Windows IT Pro magazine. The first time I really felt like I was a system administrator was when the Unix systems administrator in the IT unit I worked for at an Australian University went on leave for three months. During this time I was responsible for all of the servers that he had managed, which included all minor departmental servers, not just the scattered ones I looked after, as well as the important faculty level servers. Although I?d been responsible for a couple of minor departmental servers before then, this was the first time I really worked without a safety net as, without this guy around, there was no one within reach who could help me out if something went wrong. 5 June 2015 SysAdmin Magazine When he was performing the handoff, I noticed Regularly changing administrator account something interesting. The administrator and passwords is even more important than regularly root accounts for all the servers he was changing unprivileged user account passwords. responsible for used exactly the same password. If an attacker gets the password of an The root account password for the faculty web administrative assistant, there is only a certain server (a DEC Alpha running UNIX) was the same amount of mischief that they can perpetrate. If as the password for the Administrator account in an attacker gets the password of a systems the faculty Windows NT 4 domain. I knew that administrator, the entire organization?s the process was questionable even if it did make infrastructure is at risk. Administrator passwords the handoff very simple. need to be subject to more stringent security requirements because the consequences if these After the administrator returned from his trip, he accounts are compromised are much greater. didn?t change passwords on any of the systems. When I left that position a year later, the servers It?s vital for organizations to perform regular all still had the same password. This was checks to ensure that system administrators are definitely a case where convenience triumphed updating their passwords on a regular basis. If over good security practice. these checks aren?t performed, there is little reason to believe that system administrators will People change passwords because do the right thing of their own accord. A system they have to, not because they have should be in place where notifications are raised each time a privileged account password is not any deep appreciation of the updated after a certain period of time. This arguments about password security. allows you to be sure that the passwords are being updated on a regular basis. Luckily, there are good free tools for that, which are easy to It?s no news to anyone that people hate the install and help streamline security. process of updating their passwords and that people hate having separate passwords for With Windows Server, it?s possible to run a query separate services and systems. Ordinary users against Active Directory to determine which don?t have much choice when it comes to having accounts are configured so that the associated to update their passwords because they can?t password never expires.