WEBVTT

00:01.210 --> 00:01.950
Let's face it.

00:01.960 --> 00:03.390
Passwords are everywhere.

00:03.400 --> 00:06.970
And in this episode I want to talk about password security.

00:06.970 --> 00:10.830
Now look I'm not going to get into a big discussion over what are good passwords.

00:10.960 --> 00:15.040
You should know that stuff by now although personally I'm going to put in my own opinion as opposed

00:15.040 --> 00:20.800
to all this talk about upper and lower case numbers and exclamation points and all that stuff.

00:20.980 --> 00:26.890
I am of the new more I think cool ilk that likes to type in very very long passwords long sentences

00:27.190 --> 00:28.690
that allow me to.

00:28.690 --> 00:32.370
It makes it easier for me to memorize passwords and it makes them harder to crack.

00:32.380 --> 00:35.100
But that's not what we're covering today.

00:35.110 --> 00:39.140
Today we are covering the issue of password security now.

00:39.160 --> 00:40.540
Passwords are all over the place.

00:40.540 --> 00:46.900
Not only are we logging into our operating systems we could be logging into servers over the Internet.

00:46.990 --> 00:52.330
We could be doing all kinds of little things I've got an S S H server that I need to log into whatever

00:52.330 --> 00:54.120
it might be.

00:54.130 --> 01:00.110
The complexity and the mess that is passwords makes it very very hard to keep them secure.

01:00.130 --> 01:06.910
Now the one place we're going to start is we're going to establish a good security policy a nice written

01:06.910 --> 01:12.100
security policy on passwords that tell people what we expect them to do and we're going to give them

01:12.100 --> 01:18.000
good training so they can keep this in mind whenever are dealing with passwords at an absolute minimum

01:18.010 --> 01:23.730
there are three things I want people to be thinking about when we're talking about our password policies.

01:23.740 --> 01:29.560
Number one is complexity What do we want people to do in terms of the complexity of that password.

01:29.560 --> 01:31.780
And that includes password length.

01:31.780 --> 01:34.540
Number two is expiration or age.

01:34.540 --> 01:40.360
How often do I want to make people punch in a new password does it last 90 days 30 days does it last

01:40.360 --> 01:41.100
forever.

01:41.470 --> 01:46.350
And then number three is password history that pretty much goes with expiration and age.

01:46.360 --> 01:52.030
In that case what we're talking about is if I'm making people change passwords every so often how many

01:52.030 --> 01:59.230
passwords do I remember so that the user can't just keep swapping back and forth between say two different

01:59.230 --> 02:00.250
passwords.

02:00.250 --> 02:05.620
So even with good policies and all that it can still be a big challenge.

02:05.740 --> 02:11.950
In particular how do I enforce that how do I make my users throughout my infrastructure do the right

02:11.950 --> 02:13.660
thing when it comes to passwords.

02:13.660 --> 02:19.420
Well luckily for us there's a few places where we can do that and probably one of the best examples

02:19.720 --> 02:22.750
is Windows Local Security Policy now.

02:22.990 --> 02:27.640
I'm going to be doing this within Windows pretty much every operating system has some type of policy

02:27.640 --> 02:28.910
feature like this.

02:28.960 --> 02:34.030
So just because I'm doing this in windows don't go thinking you can't do this in a Linux Unix environment

02:34.030 --> 02:36.210
or in a Mac or whatever else you might want to do.

02:36.250 --> 02:45.020
So let's go and get started and let's take a look at our local security policy.

02:45.050 --> 02:50.570
So here is the famous local security policy that's been with Windows since well I don't even know how

02:50.570 --> 02:51.230
long it's been around.

02:51.230 --> 02:52.740
Been around a long time.

02:52.820 --> 02:56.610
Now we can do a lot of stuff in here other than just work with passwords.

02:56.660 --> 02:58.920
But I want to concentrate on that for right now.

02:59.060 --> 03:04.160
So when we go underneath account policies here you'll see it says password policy.

03:04.160 --> 03:06.800
So first of all it'll have a maximum password age.

03:06.800 --> 03:11.600
That means I'm going to change my password every 180 days.

03:11.600 --> 03:16.490
There's a minimum password agent and this is 0 days which means I could change my password every day

03:16.490 --> 03:18.090
if I wanted to.

03:18.170 --> 03:23.000
Now next is going to be the minimum password length so it's going to say well we have to have at least

03:23.000 --> 03:26.940
seven characters password must meet complexity requirements.

03:26.930 --> 03:32.450
Now these are actually defined by Windows which means upper lower case numeric special characters that

03:32.450 --> 03:33.530
type of thing.

03:33.920 --> 03:37.140
And then up at the top here means inforced password history.

03:37.160 --> 03:41.240
So basically if we have a maximum password age which means people are going to have to change their

03:41.240 --> 03:47.510
password it's going to remember the last 24 passwords which in my opinion is probably the best possible

03:47.510 --> 03:52.760
way you could ever think of to have all of your users constantly calling your administrators because

03:52.760 --> 03:54.170
they can't remember passwords.

03:54.170 --> 03:58.820
However being that as it may make sure you understand these how these work.

03:59.000 --> 04:03.450
Now the last one is store passwords using reversible encryption.

04:03.490 --> 04:10.120
You can if you want to store passwords in such a way that they could be cracked more easily.

04:10.210 --> 04:15.030
And that's really all that means it is not an option that I'm aware of anybody wanting to use.

04:15.040 --> 04:16.420
But it is there.

04:16.690 --> 04:20.430
Now let's move down here to account lock out policy.

04:20.440 --> 04:24.820
Now we've all logged into Windows and you forget your password you forget your password and then it

04:24.820 --> 04:26.410
kind of stalls for a minute.

04:26.410 --> 04:27.850
That's not what I'm talking about here.

04:27.850 --> 04:30.360
In this case we're talking about a real lockout.

04:30.400 --> 04:36.190
So if we take a look how this one is currently set up here it says account lock out threshold which

04:36.190 --> 04:38.100
is five invalid attempts.

04:38.110 --> 04:44.740
Now after five attempts if you mess up you have an account lockout duration which is 30 minutes.

04:44.770 --> 04:47.610
So get it right are you going to be sitting around for 30 minutes.

04:47.620 --> 04:52.720
Again a really really good way to have people constantly calling your administrators 30 minutes seems

04:52.720 --> 04:55.110
like an awfully long time for me personally.

04:55.180 --> 04:59.830
The third and last option here is reset account lockout counter after.

04:59.830 --> 05:04.900
Now that one's a little bit complex what we're talking about is so we've got five strikes and you're

05:04.900 --> 05:05.080
out.

05:05.080 --> 05:09.090
So you log in once you got it wrong you log in twice he got it wrong.

05:09.100 --> 05:13.570
Now you're going to stop because you're trying to figure out what your password is so you're checking

05:13.570 --> 05:21.060
something or calling somebody this option says How long do we wait before reset your attempts back to

05:21.060 --> 05:21.930
zero.

05:21.930 --> 05:24.900
So in this case this particular one is set to 30 minutes.

05:25.050 --> 05:31.130
And again a little bit long but at least we understand what all these different terms mean.

05:31.140 --> 05:38.100
So the cool part about local security policies is that they allow us to give really tight control on

05:38.160 --> 05:40.790
anybody who does anything on this system.

05:40.950 --> 05:45.870
And again pretty much every operating system has a feature set similar to this.

05:45.870 --> 05:50.730
The downside is is that what if I'm in control of a whole bunch of computers.

05:50.820 --> 05:56.940
Isn't there some magic way that I can go ahead and say all of you computers must meet all of these requirements

05:56.940 --> 05:58.380
and do this type of stuff.

05:58.440 --> 06:01.020
And there most certainly is something like that.

06:01.180 --> 06:07.170
In particular if you're using a Windows active directory called Group Policy objects

06:12.080 --> 06:18.780
to see Group Policy objects working I've got a copy of Windows Server 2016 that I pulled down from Microsoft.

06:18.890 --> 06:23.510
So let's go from our server manager and if you can scroll through here you can actually see a little

06:23.510 --> 06:26.560
tool called Group Policy Management.

06:26.660 --> 06:33.410
Now Group Policy Management is pretty much identical to what you saw with your local security policies

06:33.410 --> 06:38.410
on individual systems with one big difference with group policy objects.

06:38.450 --> 06:44.570
We can apply these too if we want to we can apply them to entire domains we can apply them to different

06:44.570 --> 06:49.410
sites we could apply them to groups we can make our own organizational unit.

06:49.420 --> 06:54.590
So if I want to make something that's like all the accountants in Dallas who use laser printers I can

06:54.590 --> 06:58.160
apply group policy objects to even stuff like that.

06:58.160 --> 07:02.420
So the real power of this is that I could apply it in a very granular way.

07:02.420 --> 07:07.070
Now keep in mind you've got to have a copy of Windows Server to pull this off and you have to have an

07:07.070 --> 07:07.900
active directory.

07:07.910 --> 07:11.320
So if you got all that in mind let me show you some of the fun we can do.

07:12.760 --> 07:17.620
So right now I've got this little fun little domain called Total test not local.

07:17.620 --> 07:21.950
So if we look under my domain you'll see here's told test local.

07:22.020 --> 07:28.440
Now I have a default domain policy that's actually put in there by windows during the installation process.

07:28.440 --> 07:36.230
So what I'm going to do is click on edit and I can actually edit what the policies are for anybody who

07:36.230 --> 07:37.870
logs into the domain.

07:37.970 --> 07:39.380
So I go under here.

07:40.150 --> 07:45.210
Then I go into Windows settings and you'll see security settings right here.

07:45.240 --> 07:49.710
And when you look at this hopefully you're going to see something that looks really familiar.

07:49.710 --> 07:56.510
First of all account policies does that look familiar password policy account lock out policy.

07:56.600 --> 07:57.660
Let's open that up.

07:57.680 --> 07:59.140
We'll click on password policy.

07:59.150 --> 08:06.400
There it is in force password history maximum password age minimum age everything we saw before and

08:06.410 --> 08:08.070
a local security policy.

08:08.240 --> 08:15.260
And even under lockout policy we have duration threshold and the reset a lockout counter after.

08:15.260 --> 08:20.930
So your group policy objects are pretty much identical to what we saw with our local security policy

08:21.140 --> 08:22.550
with one big difference.

08:22.550 --> 08:26.050
It can work over across an entire active directory.

08:26.040 --> 08:30.560
Now keep in mind you have to have Windows server you have to be running active directory to take advantage

08:30.560 --> 08:31.810
of group policy objects.

08:31.910 --> 08:33.390
But it works great.

08:33.440 --> 08:40.730
Now there are a lot of options out there other than Microsoft Windows active directory group policy

08:40.730 --> 08:45.640
objects wonderful third party tools some of them are a little pricey but they have the same power and

08:45.650 --> 08:46.540
granularity.

08:46.550 --> 09:05.230
However for the exam it seems that the only one they know about is good old Windows group policy objects.