Back to previous page

document 1 of 1

ENSURING PASSWORD SECURITY AND FLEXIBILITY

Melber, Derek. "ENSURING PASSWORD SECURITY AND FLEXIBILITY." Internal Auditing 22.6 (2007): 41-3. ProQuest Central. Web. 28 Oct. 2014.

cy
Find a copy

http://rx9vh3hy4r.search.serialssolutions.com/?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-
8&rfr_id=info:sid/ProQ%3Aabiglobal&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.jtitle=Internal+Auditing&rft.atitle=ENSURING+PASSWORD+SECURITY+AND+FLEXIBILITY
11-01&rft.volume=22&rft.issue=6&rft.spage=41&rft.isbn=&rft.btitle=&rft.title=Internal+Auditing&rft.issn=08970378&rft_id=info:doi/
Check for full text via Journal Finder
http://rx9vh3hy4r.search.serialssolutions.com/?
genre=article&sid=ProQ:&atitle=ENSURING+PASSWORD+SECURITY+AND+FLEXIBILITY&title=Internal+Auditing&issn=08970378&date=2007-11-
01&volume=22&issue=6&spage=41&author=Melber%2C+Derek

Abstract (summary)
As an internal auditor, not only should you be obeying the rules and regulations regarding information security, but also you should be evaluating whether or not the rules and
regulations are secure in what they suggest. Every IT administrator, IT auditor, and executive knows the importance of making sure that passwords are secure. Passwords must be
secured to a certain level to make a difference. In order to meet these requirements, solutions such as Windows 2008 or Specops Password Policy must be implemented, so that
multiple passwords can be utilized in the same Microsoft Windows Active Directory domain. Once these solutions are in place, the only thing left to implement is end-user training,
but with such solutions as passphrases instead of passwords, the training and end result is much more secure and now meets all security compliance requirements.

Full text
As an internal auditor, not only should you be obeying the rules and regulations regarding information security, but also you should be evaluating whether or not the rules and
regulations are secure in what they suggest. This is important because most rules and regulations do not specify the exact level of security that must be met. For example,
consider password policies for Windows. There are no specific regulations that say,"The passwords for a Windows Active Directory environment must be ten characters at a
minimum." Instead, the regulations state that the passwords must be secure and changed often. What exactly is "secure"?
Measuring the security of passwords
When you evaluate security, there are many measuring sticks that you can use. You can use what those before you have deemed secure. You can use what others in the industry
are using. You can also evaluate security based on risk and the likelihood of attack.
For passwords in a Windows environment, the first two options are not very reliable. Take for example what has been done historically. Up until just a few years ago, Microsoft did
not even require that a password of any length be mandated in a corporate environment. Up to Windows Server 2003, operating systems allowed a blank password for corporate
environments controlled by Microsoft Windows. The second measuring stick is also not that useful. Look around you-what is the standard today for password length? I see a lot of
corporate security settings, talk with many network administrators, and help even more security auditors. I would put the average password length for most corporations today at
six to eight characters. Is this secure? The answer is simply no. If you were to read articles written by information security experts, you would quickly find that an eight, nine-, or
even eleven-character password is not secure.
Therefore, you need to decide what "secure" really means. You also need to decide what "secure" is for each person in the environment. For example, does the employee who
checks e-mail once a week, perhaps receiving only two e-mails a week, require the same level of security as the network administrator who controls every domain controller, the
HR server database, and the Exchange server? I suggest the answer is no. However, how do you enforce these varying levels of security?
Determining security levels for passwords
With any Windows domain that is running Active Directory today (this would include Windows 2000 Server and Windows Server 2003), you are limited to only one password policy
for that domain. This is very limiting because it breaks two of the premises that we have already discussed. First, an eight-character password would not suffice for an
administrator or anyone who has access to critical, sensitive, or otherwise attractive data that an attacker would want to access. However, to force a fifteen-character password on
an employee who rarely accesses secure data seems a bit excessive.
The solution is to allow somehow for some users to have standard-length passwords. This would generally fall into the six to eight characters that is standard today for most
corporations. Typical users would receive this password restriction. Then, you would increase the password length requirement for such users as those in finance, HR, and
executives. They might require passwords that must use fourteen characters, for example. Finally, there are those employees that deal with all data.
Implementing secure passwords
With all of this talk about implementing passwords, the big question is, how is a solution like this put into place? To get a solution that meets all of these criteria, you need to look
at solutions outside of what is currently available from Microsoft. There are two solutions that immediately float to the top.
The first is to use a tool from Special Operations Software (Specops) called Specops Password Policy.1 This tool snaps directly into your existing Active Directory structure and
provides you with immediate control over passwords. Not only can you control passwords to ensure they are very complex, as shown in Exhibit 1, but also you can make multiple
password policies in the same domain. The interface is extremely simple, and the installation is even easier. There is not one Active Directory installation that should run without
this tool installed.
The other solution, which is not quite on the market and does not work with our existing Active Directory installation like Specops does,
is from Microsoft. This solution is to install and use Windows Server 2008 as a domain controller when it hits the market. Microsoft is
finally incorporating support for multiple passwords in the same domain with the release of Windows Server 2008. The solution will
require you to purchase Windows Server 2008, but you will probably be doing that anyway, at some point. The solution is already proven
to work extremely well, so much so that there are already tools to help administrators support it.2

Conclusion
Every IT administrator, IT auditor, and executive knows the importance of making sure that passwords are secure. With the majority of
attacks coming from within the company walls, the main push for security must first come on servers and desktops in the company.
Every security-related regulation mirrors this concept, but not one of them is perfectly clear as to the level of security that needs to be
implemented. If instead of looking at the letter of the regulation, you look at the risk and the security threat (in this case, weak or
inappropriate passwords), a solution is very clear. Passwords must be secured to a certain level to make a difference. In order to meet
these requirements, solutions such as Windows 2008 or Specops Password Policy must be implemented, so that multiple passwords can
be utilized in the same Microsoft Windows Active Directory domain.
Once these solutions are in place, the only thing left to implement is end-user training, but with such solutions as passphrases instead of
passwords,3 the training and end result is much more secure and now meets all security compliance requirements.
Sidebar
MICROSOFT IS FINALLY INCORPORATING SUPPORTING FOR MULTIPLE PASSWORDS IN THE SAME DOMAIN WITH THE RELEASE OF WINDOWS SERVER 2008.
Footnote
DEREK MELBER, MCSE, MVP, CISM, is the Director of Compliance Solutions for DesktopStandard. He has written the only books on auditing Windows security available from the
IIA's online bookstore (www.theiia.org), and also wrote Microsoft Windows Group Policy Guide for MSPress, which is the only book Microsoft has issued regarding Group Policy. If
you have a question for Mr. Melber, you can contact him at derekm@desktopstandard.com.
NOTES
1 A free trial of Password Policy is available for download at www.specopssoft.com/products/specopspasswordpolicy.
2 For more on how Windows Server 2008 will support multiple passwords, see Derek Melber, "Longhorn Poised to Provide Multiple Domain Passwords," WindowsSecurity.com (April
5, 2007), available online at www.windowsecurity.com/articles/Longhorn-Poised-Provide-Multiple-Domain-Passwords.html (accessed November 2007).
3 For a discussion of passphrases, see Derek Melber, "Protect Against Weak Authentication Protocols and Passwords," WindowsSecurity.com (October 28, 2004), available online at
www.windowsecurity.com/articles/Protect-Weak-Authenticat-Protocols-Passwords.html (accessed November 2007).
Copyright Thomson Professional and Regulatory Services, Inc. Nov/Dec 2007

Indexing (details)
Subject

Passwords;
Windows operating system;
Internal auditors;
Compliance

Location

United States--US

Classification

9190: United States

5140: Security management
5220: Information technology management
4130: Auditing

Title

ENSURING PASSWORD SECURITY AND FLEXIBILITY

Author

Melber, Derek

Publication title

Internal Auditing

Volume

22

Issue

Pages

41-43

Number of pages

Publication year

2007

Publication date

Nov/Dec 2007

Section

WINDOWS AUDIT UPDATE

Publisher

Thomson Professional and Regulatory Services, Inc.

Place of publication

Boston

Country of publication

United States

Publication subject

Business And Economics--Accounting

ISSN

08970378

Source type

Trade Journals

Language of publication

English

Document type

Feature

Document feature

Illustrations

ProQuest document ID

214386574

Document URL

http://www.liberty.edu:2048/login?url=http://search.proquest.com/docview/214386574?
accountid=12085

Copyright

Copyright Thomson Professional and Regulatory Services,

Inc. Nov/Dec 2007

Last updated

2013-10-17

Database

ProQuest Central

Bibliography
Citation style: MLA7

Melber, Derek. "ENSURING PASSWORD SECURITY AND FLEXIBILITY." Internal Auditing 22.6 (2007): 41-3. ProQuest. Web. 28 Oct. 2014.

Copyright 2014 ProQuest LLC. All rights reserved. Terms and Conditions