Adobe Acrobat Version (32.7KB)

Network security is always a balance between insuring the safety of valued assets from potential threats and the necessity that those same assets must be reasonably accessible to the employees who need to work with them. By its very nature any process that increases security also increases the effort needed to work in that new environment. If you add more locks to a door it is more secure and also takes more keys and time to open.

Implementing strong password policy with Password Bouncer will directly impact your users and the people who support them:

Users are going to want to know why the simple, easy-to-remember passwords they want to select are no longer accepted

Users and support personnel need to be notified of new password rules well in advance of their implementation
Avatier developed this guideline for implementing Password Bouncer on an existing network. This will ensure a smooth transition for the end user, from the less secure passwords they may have been using, to the more secure policies that can be implemented.

1. Confirm that the Domain Controllers on which Password Bouncer will be installed meet the minimum hardware and software levels as outlined in the technical requirements document.

2. Password Bouncer will impose your strong password policies on any user provisioning tools and scripts. Refer to the README file for more information.

3. Follow the installation procedure for Password Bouncer to install it on every Domain Controller in the domain or Active Directory you wish to protect with Password Bouncer.

4. After installation is complete start the Password Bouncer management console and verify that all the options mirror your existing password policy as follows:

   a. Password length minimum and maximum set to match existing NT setting

   b. Mixed case is unchecked

   c. Special character placement is unchecked

   d. Numerical character placement is unchecked

   e. Reject Palindromes is unchecked

   f. Reject passwords with repeating sequences is unchecked

   g. Reject password contained in the Dictionaries is unchecked

   h. Etc. so that everything is unchecked.

5. Operate Password Bouncer in this configuration for at least one full week to verify that there are no conflicts with existing applications or processes on the network. Password Bouncer will continue to check each password as it is changed and allow all those that meet the open policy. The end users should not see any change in their experience.

6. IMPORTANT: Notify the end user community of any changes in the password policy prior to implementing those changes.

7. IMPORTANT: Notify your helpdesk and support staff of any changes in password policy prior to implementing those changes. Also train you staff in how to resolve end user calls regarding the new password policies being implemented.

8. Develop a password security standard that is reasonable for the environment under your management. Be sure to consider rules regarding service accounts and non-expiring passwords (e.g. executive management). Document this policy and store that document in a secure location.

9. Decide on a phased approach to implementing each of the aspects of your new password policy.

   a. Decide which password rule or group of rules you want to activate first. Do not choose too many to implement at once as it will be too difficult for the end users to assimilate.

   b. Notify the end users and help desk when the new policy will go into effect and that it will only affect them when they need to change their password, upon expiration or when reset by the help desk.

   c. Notification by multiple means is suggested, i.e. email, hard copy memo, posting on secure internal site, mentioned in conjunction with other actions (e.g. remind helpdesk to inform end user during routine helpdesk calls)

   d. Then roll out the new password rule and monitor the reaction from the user community and the support staff. Consider metrics that will help you manage and adjust how well you are educating and communicating your password policy to your end users.

10. Once the first set of new policies is accepted by the user community, additional tightening can be implemented using the same phased approach until the complete password security policy is in place.

11. Implementing Password Bouncer smoothly over a period of time is the best way to ensure that the user community comes to accept the heightened security without causing a backlash.

12. The added security of your enhanced password policy is not fully realized until all NT/2000 user and service account passwords are reset.

    Eventually it will become second nature for your users to choose highly secure passwords for their Windows NT/2000 accounts and you will be able to rest assured that you have at least barred that door.