Powershell Password Security Best Practices
With Windows Active Directory, a range of different account types can be set up with the necessary permissions, access, and roles. These include service accounts, which are intended for use when installing applications or services on the operating system. Common types of Active Directory service accounts include built-in local user accounts, domain user accounts, managed service accounts, and virtual accounts. These accounts have broader privileges and greater access to the infrastructure than other accounts, which makes them vulnerable to security exploitation.
- Best Powershell Commands For Security
- Powershell Security Best Practices
- Powershell Password Management
- Powershell Password Security Best Practices 2020
- Powershell Password Change
Active Directory password reset and change best practices Ultimately, there isn’t a one-size fits all approach. IT departments need to balance the user experience while maximizing security. Intermediate, Powershell best practices for scripts, encrypting passwords in powershell, how to put passwords in scripts, Passwords in Scripts, powershell best practices Paul Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. PowerShell version 5.0 has the ability to log the command-line arguments passed to the PowerShell host, including PowerShell code passed to powershell.exe via the command line. Engine lifecycle logging is enabled by default and can be found in the Applications and Services LogsMicrosoftWindowsPowerShellOperational log. Rank: 15 out of 28 tutorials/courses. Yeah, that's the rank of Powershell Security Best Practices amongst all PowerShell tutorials recommended by the programming community. Check out the top tutorials & courses and pick the one as per your learning style: video-based, book, free, paid, for beginners, advanced, etc.
In this article, I’ll set out best practices for keeping your service accounts secure as well as explain why the final and most important service accounts best practice is making sure you have a solution like Access Rights Manager to provide critical insights into your AD permissions.
Jump ahead:
How Active Directory Service Accounts Work
Each type of Active Directory service account has its own operation purposes.
Best Powershell Commands For Security
- Built-in local user accounts include the System account (for local system administration), the Local Service account which accesses network services with no credentials, and the Network Service account which accesses network resources using the computer’s credentials.
- Domain user accounts are intended for use by services and are centrally managed by Active Directory. It’s possible to create a user account for a single service, or to share it across multiple services. However, with domain user accounts, you can only grant the privileges required by the service, and you need to reset passwords regularly.
- Active Directory managed service accounts are similar to domain user accounts, but the password is reset regularly and automatically. With Active Directory managed service accounts, you can only assign one user account per computer, and each account can be used with multiple services on the computer. Alternately, you can create separate accounts for each service.
The benefits of a managed service account include heightened security and ease of maintenance. Moreover, these accounts can run services on a computer with the possibility of connecting to network services as a specific user principal. However, it’s important to regularly audit these accounts, in addition to following Active Directory service account best practices to ensure security.
Active Directory Service Accounts Best Practices
- Keep access limited. Ensure you only allocate AD service accounts the minimum privileges they require for the tasks they need to carry out, and don’t give them any more access than is necessary. In many cases you can remove the functionality for remote access, terminal service login, internet access, and remote control rights.
- Create service accounts from scratch. Don’t create service accounts in Active Directory by copying old ones, as you might accidentally be copying from a service account with much higher privileges than you need. This could lead to security issues and account misuse if you give someone an account with access to resources or information they shouldn’t be privy to.
- Don’t put service accounts in built-in privileged groups. Putting service accounts in groups with built-in privileges can be risky, because each person in the group will have access to the service account’s credentials. If there’s account misuse, it can be hard to figure out who the offender is. If you need a service account for a privileged group, create a new group with the same privileges and allow access only to the service account.
- Disallow service account access to important objects. Use an access control list to protect sensitive files, folders, groups, or registry objects from misuse by AD Service Accounts. To disallow access, go into an object and open the “Properties” window to access security permissions, add an account to the “Permission Entry” list, and set the status to “Deny.” This will prevent the service account from accessing the object. If you need to give someone specific access to the object, you can add them, then switch them back to “Deny” later, when they’ve finished their task.
- Remove unnecessary rights. Denying nonessential user rights is helpful to keep security measures strong. This includes “deny access to this computer from the network,” “deny logon locally,” and “deny logon as a batch job.”
- Set access by using the “Log On To” feature. When you create a service account in Active Directory, you can allow it to only log on to certain machines to protect sensitive data. Open Active Directory Users and Computers, then “Properties.” In the “Account” tab, click the “Log On To” button and add the computers to the list of permitted devices the service account can log on to.
- Limit time frames. You can add extra security by configuring AD service accounts to be allowed to log on only at certain times of day.
- Control password configuration. You can set a service account so the user can’t change their own password. You can also set it so the account can’t be delegated to someone else. This ensures the administrator controls the password, and nobody other than authorized users has access to the account.
- Enable auditing. Be sure to enable auditing for all service accounts and related objects. Once auditing is enabled, regularly check the logs to see who’s using the accounts, when, and for what purposes. Auditing is one of the most important of the best practices: it helps ensure security, verifies internal processes and compliance measures are being followed, and can discover any issues or breaches before too much time passes.
- Implement access rights management software. Carefully managing your Active Directory service accounts is crucial to preventing misuse of broad access and privileges. An access rights management tool can be beneficial to ensure user accounts are set up and managed with appropriate permissions and access.
I recommend SolarWinds® Access Rights Manager (ARM), which is built to automate account management process and reduce the time you need to spend provisioning. The software also includes detailed auditing and compliance monitoring tools to help you meet strict security compliance requirements, including policy- and industry-specific compliance regulations such as GDPR, PCI DSS, and HIPAA.
The auditing tools in ARM are simple and easy to use, and they allow you to quickly create auditor- and management-ready reports on account use as well as behavior to show adherence to important security processes.
Another solution worth checking out is Passportal. This is a password management solution created for MSPs that can also be used by large corporations and businesses of all types.
With Passportal, you get access to a centralized cloud-based platform for managing passwords. You can store as many passwords as you need, search for and change them at will, and configure the setup to meet your needs.
So if you need a way to manage your Active Directory credentials—or those of your clients—Passportal is a comprehensive solution. It’s designed to be secured as well, so you don’t need to worry about your passwords and other key data falling into the wrong hands.
Password change and password reset are terms that are often used interchangeably. However, they are not the same. A user will perform a password change when they remember their existing password, and a password reset when they have forgotten it.
The two use cases are inherently tied to an organization’s domain password policy which traditionally encompass password complexity, length, and change frequency requirements. With a sound policy in place, users will need to follow the composition requirements when changing or resetting their passwords.
But, what makes a password policy secure? There isn’t a shortage of regulatory and standard bodies that have weighed on this very topic. This article looks at what can be achieved using the native Active Directory (AD) Group Policy settings, including key capabilities that increase password security while balancing the user experience.
Active Directory password expiration
Password Expiration can be configured using the Maximum Password Age setting within the Default Domain Policy in the Group Policy Management Console. The setting is applied to all domain computers and users.
Maximum password age dictates the amount of days a password can be used before the user is forced to change it. The default value is 42 days but IT admins can adjust it, or set it to never expire, by setting the number of days to 0.
Windows password policy settings
Other Windows password policy settings include:
- Enforce password history determines the number of old/previously used passwords stored in AD to prevent users from using a previously used password. The default and maximum value is set to the previous 24 passwords.
- Minimum password age dictates how often a user can change their password following a password change. This prevents a user from reverting to a previously used password, circumventing the password history rule; by changing it 24 times in a row for example. The default value is set to 1 day.
- Minimum password length enforces the character length of the password.
- Password must meet complexity requirements utilized to ensure that the password cannot contain the user’s account name or display/full name, and must include three of the five-character types: upper-case letter, lower-case letters, numbers, special characters and Unicode.
- Store passwords using reversible encryption allows passwords to be stored in AD almost in plain-text, which is highly insecure, but sometimes needed to grant password access to certain applications.
These settings are meant to increase password security but can have a negative effect on end users. Complex passwords result in forgotten passwords as such anytime password complexity is introduced there will be an uptick in helpdesk password reset calls. According to Gartner research firm these can account for 30-40% of support costs.
To deflect password reset calls from the helpdesk, it is recommended that organizations implement passphrases which are outside of the scope of Active Directory. Passphrases are long passwords made up of unrelated words which are harder to crack but easier for users to remember. In fact, the National Institute of Standards and Technology (NIST) recommends using them with their 64-character maximum length requirement, however they do advise to eliminate password expiration as it can lead to users making poor password construction decisions.
Eliminating password expiry can leave an organization exposed indefinitely if an attacker has gotten hold of a user’s account. A better approach is to utilize length-based password aging. This combined with passphrases can ensure that users are incentivized to create longer stronger passwords by rewarding them with less frequent changes. Forced password changes are always going to cause users some disruption but the aforementioned features can alleviate some of the frustration. Another important consideration is to ensure that password rules are displayed dynamically to users as they are changing their passwords. If there is too much guess work involved users will revert to calling the helpdesk.
Active Directory password reset
Even with user-oriented features as noted in the section above, password reset calls to the helpdesk will still occur. Active Directory password resets are most commonly performed by using Active Directory Users and Computers. With just a few clicks a user’s password can be reset. This can be accomplished using other methods; the Active Administrator Center user interface or PowerShell are two examples.
Powershell Security Best Practices
A current gap within organizations is user identity verification – most rely on insecure methods, such as employee ID or security questions. In fact, password reset user verification is not mentioned in recommendations set forth by industry, or regulatory bodies, although it is a highly exploited attack vector. This is where proactive steps are necessary.
Given that password reset calls to the service desk take a significant percentage of the support call load in order to this cost and maximize security, organizations must look to a self-service password reset solution. The solution should support secure user verification methods, that go beyond security questions, although widely utilized answers to questions are cumbersome for users to recall. Security questions are also recognized as an insecure form of authentication due to social engineering. More secure forms of authentication should be considered especially ones that are already in use to eliminate the need for users to have to enroll in the system while extending the ROI of existing assets.
Active Directory password reset and change best practices
Powershell Password Management
Ultimately, there isn’t a one-size fits all approach. IT departments need to balance the user experience while maximizing security. When setting a secure password policy, consider following these password change/password reset best practices:
Powershell Password Security Best Practices 2020
- Turn on password expiration with length-based password aging to promote secure password construction behavior while reducing risk.
- Secure all password reset scenarios at the helpdesk and self-service with more secure forms of authentication.
- Display password rules dynamically to users changing or resetting their passwords. Frustrated users will contact the helpdesk.
Powershell Password Change
You can start balancing the scale today with Specops uReset, a self-service password reset solution facilitating Active Directory password resets and changes. Through a graphic password policy rule display, the solution reduces errors and guess-work for end-users. Its robust multi-factor authentication engine includes various forms of user-verification that can extend authentication security to the helpdesk.