Let's face it, passwords are everywhere. And in this episode, I want to talk about password security. Now look, I'm not going to get into a big discussion over what are good passwords, you should know that stuff by now. Although Personally, I'm going to put in my own opinion, as opposed to all this talk about upper and lowercase and numbers and exclamation points and all that stuff. I am of the new more, I think cool ilk that likes to type in very, very long passwords, long sentences that allow me to, it makes it easier for me to memorize passwords, and it makes them harder to crack. But that's not what we're covering today.
Today, we are covering the issue of password security. Now, passwords are all over the place. Not only are we logging into our operating systems, we could be logging into servers over the internet. We could be doing all kinds of little things. I've got an SSH server that I need to log into whatever it might be. The complexity and the mess that is passwords.
Makes it very, very hard to keep them secure. Now, the one place we're going to start is we're going to establish a good security policy, a nice written security policy on passwords that tell people what we expect them to do. And we're going to give them good training. So they can keep this in mind whenever they're dealing with passwords. At an absolute minimum, there are three things I want people to be thinking about when we're talking about our password policies. Number one is complexity.
What do we want people to do in terms of the complexity of that password, and that includes password length. Number two is expiration or age. How often do I want to make people punch in a new password? Does it last 90 days, 30 days does it last forever. And then number three is password history that pretty much goes with expiration and age. In that case, what we're talking about is if I'm making people change passwords every so often, how many passwords do I remember, so that the user can't just keep swapping back and forth between say, two different passwords.
So even with good policies and all that, it can still be a big challenge. In particular, how do I enforce that? How do I make my users throughout my infrastructure do the right thing when it comes to passwords? Well, luckily for us, there's a few places where we can do that. And probably one of the best examples is Windows local security policy. Now, I'm going to be doing this within Windows, pretty much every operating system has some type of policy feature like this.
So just because I'm doing this in Windows, don't go thinking you can't do this in a Linux Unix environment or on a Mac or whatever else you might want to do. So let's go ahead and get started. And let's take a look at our local security policy. So here is the famous local security policy that's been with Windows since Well, I don't even know how long it's been around, been around a long time. And we can do a lot of stuff in here other than just work with passwords, but I want to concentrate on that for right now. So when we go underneath account policies here, you'll see it says password policy.
So first of all, it'll have a maximum password age. That means I'm going to change my password every 180 days, there's a minimum password age on this zero days, which means I could change my password every day if I wanted to. Now next is going to be the minimum password length. So it's going to say, well, we have to have at least seven characters. password must meet complexity requirements. Now these are actually defined by Windows, which means upper lowercase Numerix, special characters, that type of thing.
And then up at the top here means enforce password history. So basically, if we have a maximum password age, which means people are going to have to change their password, it's going to remember the last 24 passwords, which in my opinion, is probably the best possible way you could ever think of to have all of your users constantly calling your administrators because they can't remember passwords. However, being that as a bay, make sure you understand these, how these work. Now. The last one is Store passwords using reversible encryption, you can if you want to store passwords in such a way that they could be cracked more easily. And that's really all that means.
It is not an option that I'm aware of anybody wanting to use but it is there. Now let's move down here to account lockout policy. Now we've all logged into Windows and you forget your password, you forget your password and then it kind of stalls for a minute. That's not what I'm talking about here. In this case, we're talking about a real lockout. So if we take a look how this one's currently set up, here it says account lockout threshold which is five invalid attempts.
Now, after five attempts if you mess up, you have an account lockout duration which is 30 minutes. So get it right are you going to be sitting around for 30 minutes again, a really really good way to have people constantly calling your administrators 30 minutes seems like an awfully long time for me personally. The third and last option here is reset account lockout counter after that It's a little bit complex, what we're talking about is, so we've got five strikes, and you're out. So you log in once you got it wrong, you log in twice, you got it wrong. Now you're going to stop, because you're trying to figure out what your password is. So you're checking something or calling somebody.
This option says, How long do we wait before we set your attempts back to zero. So in this case, this particular one is set to 30 minutes. And again, a little bit long, but at least we understand what all these different terms mean. So the cool part about local security policies is that they allow us to give really tight control on anybody who does anything on this system. And again, pretty much every operating system has a feature set similar to this. The downside is, is that what if I'm in control of a whole bunch of computers, isn't there some magic way that I can go ahead and say, all of you computers must meet all of these requirements and do this type of stuff?
And there most certainly is something Like that, in particular, if you're using a Windows active directory called group policy objects. To see group policy objects working, I've got a copy of Windows Server 2016 that I pulled down from Microsoft. So let's go from our Server Manager. And if you could scroll through here, you can actually see a little tool called Group Policy Management. Now, Group Policy Management is pretty much identical to what you saw with your local security policies on individual systems with one big difference. With group policy objects.
We can apply these two if we want to, we can apply them to entire domains, we can apply them to different sites, we can apply them to groups, we can make our own organizational units. So if I want to make something that's like all the accountants in Dallas, who use laser printers, I can apply group policy objects, even stuff like that. So the real power of this That I could apply it in a very granular way. Now keep in mind, you've got to have a copy of Windows Server to pull this off, and you have to have an Active Directory. So if you've got all that in mind, let me show you some of the fun we can do. So right now I've got this little fun little domain called Total test dot local.
So if we look under my domain, you'll see here's total test dot local. Now, I have a default domain policy that's actually put in there by Windows during the installation process. So what I'm going to do is click on Edit. And I can actually edit what the policies are for anybody who logs into the domain. So I go under here. Then I go into Windows settings.
And you'll see security settings right here. And when you look at this, hopefully, you're going to see something that looks really familiar. First of all account policies. Does that look familiar password policy, account lockout policy. Let's open that up. We'll click on password policy.
There. It is. enforce password history, maximum password age, minimum age, everything we saw before, and a local security policy. And even under lockout policy, we have duration threshold, and the reset account lockout counter after. So your group policy objects are pretty much identical to what we saw with our local security policy with one big difference, it can work over across an entire Active Directory. Now keep in mind you have to have Windows Server you have to be running Active Directory to take advantage of group policy objects, but it works great.
Now, there are a lot of options out there other than Microsoft Windows Active Directory group policy objects, wonderful third party tools. Some of them are a little pricey, but they have the same power and granularity. However, for the exam, it seems that the only one they know about is good old windows group policy objects.