How to Crush a Weasel with Server 2008 Fine-Grained Passwords
Being a Windows Systems Administrator is a lot like being an Army Ranger.
They’re highly skilled and highly trained. You’re highly skilled and highly trained. They have to maintain tight security. You have to maintain tight security. They do more before 9:00 am than most people do all day. You read more email before 9:00 am than most people do all day. They crush the enemies of America. You crush the mouthy thirteen year-olds who are so annoying in World of Warcraft.
Ah, yes, the life of a systems administrator can be exciting and fun. But, there can be burdens. Your burden is Red.
Red is the Head Engineering Research Ombudsman. He’s savvy and clever.
If Red was in prison, he’d be the guy who could get you things. He is also a weasel. You realized just how big of a weasel, when you were updating his title for the third year in a row.
Two years ago, he got his title changed from Engineering Research Manager to Engineering Research Ombudsman. This year, he had them add on that he was the head of the department.
You figured that you would just use the acronym. But, after seeing it, you pounded the delete key and used the whole title instead.
Just What You Don’t Need … Another HERO
Red doesn’t like messing around with passwords, but as the company H.E.R.O., he has certain duties that require administrative level access. (For crying out loud! Who started abbreviating his title?)
At security training you emphasized how important password security is because of the admin access and told him to change his password every 30 days.
When you reviewed the security logs, you noticed that not only did he not change his password every 30 days, but when the domain policy forced him to change his password after 90 days, he kept changing it every few minutes until he could go back to his original password!
Well, Army Rangers don’t let Russians cross over into Alaska, and you don’t let HEROs get away with password shenanigans. (Seriously, who started abbreviating? It doesn’t even have the periods anymore!)
You changed the password policy to only allow password changes twice a day, and you upped the unique passwords count to 200.
“Hah! Would you like a little Kryptonite with that password change Mr. HERO?” (Arrggghh! Now, you’re even doing it.)
But, there is still a problem.
You need Red to change his password every 30 days, not every 90 days like everyone else. Well, you’ll fix his little red wagon; all you have to do is change his password expiration to … Noooooooo!
You can only set the password requirements at the domain level. You can’t possibly justify creating another domain just for Red, and there is no way that management will let you change the whole domain’s password expiration to 30 days (they whine about 90!)
You can look at the security logs every 30 days and send email, but you don’t want to go adding more tasks to your 60 hour work week. So, all you can do is use your most sinister voice and shake your fist at the administration screen, “To the last, I will grapple with thee.”
There are uninspired feature names, and there are poor feature names. This one is both.
If you were using the Windows Server 2008 beta, then you first heard it called Granular Passwords. That was a terrible name, a word most non-scientists don’t really use and it wasn’t really all that descriptive.
So, someone at Microsoft decided to change it. Like a rapper to a rhyming dictionary, whoever is in charge of naming things grabbed the Thesaurus his 7th Grade English teacher gave him and found, “fine-grained.” Yeah, that’s much better.
With Fine-Grained Passwords, Windows Server 2008 finally offers something administrators have been asking for since the early days of Active Directory, a way to single out individuals or small groups for different password security than everyone else.
It makes sense if you think about it. Traditionally, there are three classifications of passwords.
The first is normal users. The second are those with administrative access. The more admin access, the more stringent you want their password requirements to be. The third are service accounts which you want to set up with ridiculously long random passwords that rarely expire.
However, you could only set password attributes at the domain level, so you just had to pick one. Not any more.
Setting Fine-Grained Passwords
Fine-grained passwords can only be used in a domain with a functional level of Windows Server 2008. Basically, all of your domain controllers need to be Server 2008 before you can implement fine-grained passwords.
You also have to be a domain admin to set password policies unless it has been specifically delegated.
Fine-grained passwords can only be set on individual users or global security groups. You cannot set fine-grained passwords on OUs. Create a shadow group that contains the same users and assign the fine-grained passwords to it. Just make sure you remember to move users out if they change OUs.
To create and assign fine-grained passwords you use the adsiedit.msc tool. It isn’t pretty.
Basically, you select your domain by right-clicking the ADSI Edit in the left-hand pane and choosing Connect To. Type the domain name in. Then, the domain controller node, CN=System, and select CN=Password Settings Container. Then, create a new msDS-Password Settings object.
When you click next, you’ll need to set the precedence value for the object. This value is used when more than one policy ends up applying to a user. The LOWER preference value wins. Then select the values you want for the attributes.
To crush that weasel Red, choose a long PasswordHistoryLength (up to 1024), a MinimumPasswordAge (set as DAYS:HOURS:MINUTES:SECONDS), and a MaximumPasswordAge.
Set the history length to 1024 and it will be a year and half before he can re-use a password. If you want to be a weasel back, you can even set his LockoutThreshold lower than everyone else’s (Just one wrong try before lock out? Heh, heh, heh.)
Don’t even mess with the tools Microsoft included to manage fine-grained password policies.
You can count on updated tools in a service pack or resource kit in the future. For now, head on over to PowerGUI.org. They have a collection of open-source tools that take advantage of the Powershell, including a much better GUI interface for setting and managing fine-grained passwords.
Just search for fine-grained passwords, and you are off.
Congratulations, you are once again the master. Now, you can get back to bringing justice to WOW.
But first, you need to figure out why your parking pass isn’t working anymore. Who handles that anyway?
Let’s see … oh, no! It’s Red.