nFront vs AD Password Policies

  • 166 Views
  • Last Post 17 February 2016
Anthony.Vandenbossche posted this 17 February 2016

Hi All,   A Customer recently asked me to provide a quote for nFront Password Filter, a Password Policy enforcement application for Active Directory Domain Services (works through GPO). While reading through the capabilities of the product I found that it only offers a few extra capabilities in comparison with Finegrained Password Policies, like end-user feedback at logon, more complexity options. Example below:   http://nfrontsecurity.com/products/nfront-password-filter/images/xp-client1.jpg   Does anybody have any experience with this product? Is it worth installing it, while Finegrained Password Policies provide nearly the same features? Any idea about pricing?   Note: one of nFront’s selling points is that they support up to 6 password policies (depending on licensing level). Since DFL 2008, with Fine grained password policies, you can make any number of policies   Thanks in advance!   Mvg,   Anthony Van den bossche
System Engineer
Anthony.Vandenbossche@xxxxxxxxxxxxxxxx

Direct +32 (0)2 801 54 59
Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif

This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.

Description: Description: Think Green  

Order By: Standard | Newest | Votes
a-ko posted this 17 February 2016

There is some value in tools like this but keep in mind the security implications of adding additional password workflows. We’re well aware of the issues with Windows password/credential storage. These problems (such as NT Hashing/ LM Hash) are well-documented. Any additional tools could potentially add additional vulnerabilities even if the “management” of the password policy is seen as a bonus. With that in mind…there is value when trying to make passwords more randomized and harder to attack. Windows’ policy is essentially “Your name can’t be involved”, “You must have a capital letter/number/special character”, and then the associated password length that you’ve configured. There are necessities beyond that to make the passwords harder to attack. Things like avoiding common phrases, dictionary words, or linguistic characteristics that otherwise make passwords “predictable” and reduce the attack space necessary to guess. Assume, for example, an attacker grabs the local user’s NTLM Hash. In some scenarios you can use this NTLM Hash to either “Pass the Hash” across the environment, or in some cases gain Silver Tickets (Pass the Ticket) to spoof the user to obtain a Kerberos Ticket. This is especially possible with RC4 Kerberos Tickets (and downgrades to this level). Most environments probably can’t disable RC4 Kerberos on the DCs (KDCs) so this is a problem you’ll have to live with for a while. That said, say you’ve implemented policies to avoid all these issues (PtH and Silver Tickets), great for you! But the complexity of the user’s password now matters. Because if they can attack the NTLM hash, then PtH doesn’t really matter—since now they actually have the user’s credential. I don’t have a good link on me to a presentation about this, but I attended a presentation in Washington DC last year regarding a vendor who writes tools to do this. My personal opinion on the priority on whether this provides value is as follows: ·         Get rid of Windows XP.·         Go through your network and eliminate or reduce Pass-The-Hash attacks as much as possible.o   Move to Windows 10. With the right hardware (TPM, VT-x) it can provide significant security of in-memory credentials as lsass functions are moved to a protected VM.·         Disable storing of LM hashes (default on Windows Vista and above. But you may want to enforce this via GPO to make sure)·         Use a strong password length requirement. At least 16-20 characters. Get users into the habit of using passphrases.o   This massively increases the keyspace to search for brute force type attacks. This is far more secure than requiring additional characters.§  Think of it like your ATM PIN. Digit count is 4, keyspace is 10. 10^4 = 10,000 combinations.§  But a digit count of 10, with a keyspace of 4 = 4^10 = 1,048,576 combinations.§  So using ONLY the numbers 1-4, but requiring you to have a 10-digit PIN is more secure than using 10 numbers, but only requiring a 4-digit PIN.·         Use Kerberos as much as possible on your network. Eliminate or significantly reduce where NTLM is accepted.·         For elevated credentials (Domain Admins, Server Admins, etc.) consider using Smart Cards.o   2012R2 DCs with 2012R2 functional level, use “Protected Users” security group for these accounts. Requires Kerberos. Extra protections in these OS’ provide additional Kerberos protection (Armoring, Claims, etc.)§  Requires the implementation of a PKI system for your environment. So in short—tools like this, while can be useful—there’s much likely larger fish to fry to help protect “passwords” in the environment than such a tool. And the resources are better spent on those protections with this being added later if needed. -Mike Cramer 

show

Anthony.Vandenbossche posted this 17 February 2016

Hi Mike,

 

Thanks for the prompt response! I agree with you that there are many other, more important, security measures that need to be taken. As a consultant I work on a variety of

Windows based environments and I actively try to “tighten the screws”, such as no low-level OS Clients – only W7 and later, Kerberos use, Protected Users, ldaps etc.

 

I also share your vision on the need of such tool. It might be useful, but I think that the builtin-tools are more appropriate for the job.

 

Many thanks.

 



Mvg,

 

Anthony Van den bossche


System Engineer


Anthony.Vandenbossche@xxxxxxxxxxxxxxxx



Direct

+32 (0)2 801 54 59


Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which

is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s)

is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for

viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.



Description: Description: Think Green



 

show

kurtbuff posted this 17 February 2016

Statistics will crack your password:
https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure
Don't know if the product you're asking about will help with this or not.
My basic thought has long been that length trumps complexity - passphrases longer than 16 characters (and preferably longer than 20) in the form of simple sentences (with proper spaces, casing and punctuation) are relatively easy to remember and type.
Kurt


show

Close