Welcome back to our weekly blog post as we look at how to better secure your infrastructure. Last week, we discussed the use of password managers and multi-factor authentication (MFA). Those tools were meant to help with the problem of password reuse and password weaknesses. This week, we’re going to continue chipping away at these problems with additional layers of protection, including a password policy.
Policies are our foundation
Early on in my security days, I was introduced to policies, which, at the time, I thought were a waste of time. As I matured in the ways of infosec, however, I realized policies are the foundation of what we do. When you think about building a structure, we start with a strong foundation — otherwise, the structure will be unstable. Policies provide a strong foundation on which we build procedures that make up our infosec structure. Let’s take a look at a password policy and how it can help secure our infrastructures.
A password policy will define the rules an organization will follow as it relates to passwords. These rules should include the following, at a minimum:
- Password minimum length, complexity requirements, and rotation period.
- Passwords must be unique and not used anywhere else.
- Passwords should never be shared.
If you want to go a bit further, which I highly recommend, these points should also be covered in a password policy:
- The use of MFA on all public-facing services
- The use of an organization-level password manager for all passwords, such as subscriptions, network devices, systems, applications, etc.
- Consequences for not following the policy
Implementing policies and procedures
Once the policy is created and distributed to everyone in the organization, we can then use it to base our procedures off of and build out our secure password practices. This includes using Microsoft group policies (GPOs) to manage domain-level password requirements and rotations. Oh, but that’s not it: Let’s not forget about all those service accounts you have out there that you’ll need to address. Those will need to be manually changed periodically, or you can use a scripted approach (there are lots of examples for this online). But wait — there’s more! How about every workstation and non-domain controller that has a local administrator account? Are all of those local administrator accounts being rotated? Probably not, simply because it would be a huge workload. Don’t worry — we’re going to cover that hurdle in next week’s post.
If you already have an organizational password policy (maybe for compliance requirements), don’t forget to review these annually to make sure they’re still meeting the organization’s needs and are keeping up with best practice. If you don’t already have a password policy, what are you waiting for?
Looking for more tips on securing your infrastructure?
- Check for vulnerabilities in your infrastructure
- Patching your network devices
- The importance of local and cloud backups
- Dangers of obsolete user accounts
- Network awareness using ARPwatch