What can you expect from this document:
This document covers some basic security best practices for user authentication that, if combined with other security measures, will help to increases the overall security of your system.
What is the threat?
Without strong authentication practices, a potential attacker can more easily gain access to your server. The attacker can then utilize your server for malicious activities, take advantage of your server’s resources, or possibly overtake the server, locking you out of it completely.
User Authentication Best Practices
The following guidelines will help you to increase your server’s resilience to cyber-attacks by using practices and policies that minimize an attacker’s ability to gain access to your server.
1. Use strong and complex passwords
What makes a password considered strong?
- At least eight characters in length
- Does not contain your username, real name, or company name
- Does not contain a complete word
- Is significantly different from previous passwords you’ve used
- Contains characters from all of the following four categories:
A password might meet all the criteria above and still be a weak password. For example, “Hello2U!” meets most the criteria for a strong password listed above, but is still weak because it contains a complete word. The password “H3ll0 2 U!” is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes blank spaces.
Creating a strong and complex password can be easy:
Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as “My son's birthday is December 12, 2004.” Using that phrase as your guide, you might shorten this into a password such as “MsbiDec12,2004” by keeping the first letter of each word in the phrase, and choosing a phrase that incorporates numbers and punctuation.
You can also use the entire phrase as a password by substituting some letters with numbers, symbols, or misspelling entire words (although this can sometime be more difficult to remember). Example:
My son's birthday is 12 December, 2004. By substituting the numbers and symbols,this sentence could be transformed into the following password: Mi$un's Brthd8iz 12124.
Try relating your password to a favorite hobby or sport. For example, “I love to play badminton” could become “ILuv2PlayB@dm1nt()n”.
If you feel you must write down your password in order to remember it, make sure you don't label it as your password, and keep it in a safe place.
2. Never reuse passwords for different services
Using the same password for multiple accounts weakens the effectiveness of your password. If an attacker successfully determines your password for any kind of account you use, they will certainly try this same password to gain access to your server. Therefore, you should always create a unique password for every user account on your server.
3. Change the passwords on a regular basis
Changing the password on a regular basis decreases the possibility that an attacker performs a successful attack on your password. Changing your password once every 90 days is an effective addition to already using a strong password.
4. Apply temporary account lockouts to prevent brute force or dictionary attacks
The Account Lockout Policy settings determine the number of failed login attempts allowable before a user account is locked. Once locked, no logins are permitted for a set period of time.
Brute-force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. This is why the effectiveness of such attacks can be reduced by limiting the number of failed login attempts
However, it is important to note that a denial-of-service (DoS) attack could be performed on the server that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of account lockout threshold, the attacker could potentially lock every account.
How to configure:
- Click Control Panel > System and Security > Administrative Tools
- Click on the Local Security Policy menu entry
- In the Local Security Policy window select Account Lockout Policy (path is: Security Settings/Account Policies/Account Lockout Policy).
- In the details pane, right-click the policy setting that you want.
- Click Properties.
You will see 3 settings in total that are relevant, these are:
Lockout Account duration: Enter the time here. The account should be locked out when excessive logon attempts according to policy are detected, for example 15 minutes.
Account Lockout threshold: Enter the number of unsuccessful logon attempts that have to occur until an account gets disabled, for example 10
Reset Account Lockout Counter after: You can reset the account lockout counter (as mentioned above) after the specified amount of minutes, for example 60
It is also wise to have a second account on the system as a safety measure, to avoid locking yourself out while implementing the new password policy!
5. Only allow logins to the system for accounts that need access
The access to the system should only be allowed to users, who need to work with it. This means restricting RDP logon access and reviewing the users in the “Remote Desktop Users” or “Administrators” group are the users that truly need access.
In order to verify that, do the following:
- Click the start button.
- In the menu, click This PC with the right mouse button.
- Click Manage
- In the Server manager, click Local Server in the left navigation bar.
- Click Tools in the top menu.
- Click Computer Management.
- Click Local Users and Groups.
- Double-click Groups
- Double click the group, you want to edit. For example, Remote Desktop Users or Administrators.
Make sure that the groups only contain those users who work with the system.
The usage of Multi factor authentication is highly recommended, as this simplifies password policies and adds an extra layer of protection.
One good solution for example is Azure MFA.
- MFA: https://azure.microsoft.com/en-us/services/multi-factor-authentication/
- Securing Windows Server 2012R2: https://technet.microsoft.com/en-us/library/hh831360.aspx
- Password strenght, policies and requirements:
The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.