At nFront Security, we believe that providing tips and checklists are a great way for IT Administrators to know if they are forgetting about any important security measures that might have slipped their mind. There is a famous quote that reads: “Rename your ‘To-Do’ list to your ‘Opportunities’ list.” – Steve Maraboli
Here are a few opportunities for you to review at your earliest convenience. If you are a victim of one of these “Top 3 Mistakes,” take it as an opportunity to fix it at your earliest convenience!
Having One Password Policy
Microsoft provides the functionality to have fine-grained password policies. Fine-grained password policies is the ability to have multiple password policies within a single domain. At a minimum, we recommend customers have three password policies within their domain. Please keep in mind that all password policies for users on your domain need to be secure, and we always recommend having a minimum of 15 characters to avoid the threat of rainbow tables (read more here). The first is for privileged accounts. This password policy needs to be of highest security since your domain administrators and employees with a broad range of access on your network will be following this password policy. The second password policy will be all remaining employees and the third password policy is for service accounts.
Having Weak Password Policies
Having weak password policies goes hand-in-hand with the first common mistake of IT Administrators. Weak password policies means weak passwords on your network. Unfortunately, if you are relying on Microsoft’s Password Complexity requirements, you do have a weak password policy (read more here). With Microsoft Password Complexity, you are not able to skip the threat of rainbow tables or prevent your employees from the password “Password1” or “Summer2017.” Using a Windows password filter, like the nFront Password Filter, will ensure that weak password will not be allowed on your network.
Not Disabling Dormant Accounts
This is a common overlooked problem on company networks. An employee is terminated and the account reamins active until someone in your IT Department disables the accounts. Unfortunately, this process is often times not automated for companies. Disabled accounts pose a huge threat to companies as the account’s password remains the same. They are an attractive target for hackers since the hacker can go unnoticed for weeks or even months. We recommend using a tool like the nFront AD Disabler. nFront AD Disabler can automatically disable inactive and dormant accounts within your Windows Active Directory for any account that has not been logged on in three weeks. The tool determines last true logon time for all active directory accounts. In other words, it scans across all domain controllers to get the correct last logon time for each user.