Fine Grained Password Policies (FGPP) Why you will accidentally lock

Fine Grained Password Policies (FGPP) Why you will accidentally lock everyone out Oliver Morton [email protected] @grimhacker

Domain Accounts Policy Consists of Password Policy and Lockout Policy: Net Accounts Minimum Password Age (days) Maximum Password Age (days) Minimum Password Length Length of Password History Maintained Lockout threshold Lockout duration (minutes) Lockout observation window (minutes) Also: Password Stored in Reversible Encryption Password Complexity Enabled

Recovering the Accounts Policy NULL Session / With Credentials Windows API (variety of tools available) Nettynum Dumpsec Rpcclient Enum4linux Nbtenum Net accounts LDAP Ldp.exe

Interpreting the pwdProperites Attribute 32 bit number accessible on the base of the domain after binding with LDAP. DOMAIN PASSWORD COMPLEX 1 DOMAIN PASSWORD NO ANON CHANGE DOMAIN PASSWORD NO CLEAR CHANGE DOMAIN LOCKOUT ADMINS DOMAIN PASSWORD STORE CLEARTEXT 16 DOMAIN REFUSE PASSWORD CHANGE 32 pwdproperties.py

Demo Using ldp.exe and pwdproperties.py

The brand new *cough* 2008 *cough* fine grained password policy! Represented in Password Setting Objects (PSO’s) under the System container. Domain Functionality Level must be 2008 or higher, can create before this but will not be enforced. Settings from multiple PSO’s cannot be merged. PSO’s can be associated to users directly or via a group msDS-PSOAppliesTo holds the list that that PSO applies to. msDS-PSOApplied holds the list of PSO’s on a group. Every PSO has a precedence between 1 and 2,147,483,646 stored in msDSPasswordSettingsPrecedence, lowest wins a conflict. PSO directly applied to a user wins over one applied to a group

PSO Attributes Attribute Description cn The name of the PSO msDS-PasswordSettingsPrecedence The order of precedence of the PSO in the event that multiple PSOs apply to a user msDS-PasswordReversibleEncryptionEnabled Toggles storing the password with reversible encryption msDS-PasswordHistoryLength The number of previous passwords stored in Active Directory msDS-PasswordComplexityEnabled Toggles password complexity checking msDS-MinimumPasswordLength The minimum length of the password msDS-MinimumPasswordAge The minimum interval before the password can be reset msDS-MaximumPasswordAge The maximum age of the password before it must be reset msDS-LockoutThreshold The number of failed login attempts necessary to trigger a lockout msDS-LockoutDuration The number of minutes to lock the account out msDS-LockoutObservationWindow The time window during which the lockout threshold is maintained

Finding the Resultant PSO Use LDAP to find which PSO exist and manually verify which wins. psomgr -effective username Active Directory Administration Center (ADAC)

Demo Ldp.exe to show PSOs

Why should I care? Locking out accounts Inefficient dictionary attacks CESG Guidelines for End User Devices Group Policy Value(s) CN System CN Password Settings Container CN Granular Password Settings Users Precedence: 2 Enforce minimum password length: 9 characters Password must meet complexity requirements: Enabled Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Users CN System CN Password Settings Container CN Granular Password Settings Administrators Precedence: 1 Enforce minimum password length: 14 characters Password must meet complexity requirements: Enabled Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account

Questions? Oliver Morton [email protected] @grimhacker