Is your organization using a secure password management solution? In the age of phishing emails and ransomware, secure password management is one of the most important processes an organization can implement. The reason I say “process” instead of “product” is because although there are great products out there that tout secure password management, the reality is that most security initiatives should always starts with process rather than just buying products.
For most environments, secure password management controls should be:
- What defines a password. User accounts have passwords, but so do service principals and storage accounts in the cloud
- How often passwords are changed and how complex they must be
- Tools and systems end users and admins can use to securely store passwords
- Where certain types of passwords can be used. I.E. domain admin passwords can only be used on domain controllers
- Rotation of service account passwords and limiting where they can be used. I.E. why would a service account ever need to be logged into remotely via VPN?
- All of the above written down in policy for end users and administrators
Just like anything else, I see varying levels of maturity related to secure password management in the companies I consult for. Some places are all in on SPM with great processes and the best of the best tools in place. Others are less mature and doing the bare minimum based on regulatory requirement or scrutiny because of a recent breach. Most places are somewhere in between. I do have a basic set of recommendations for all of our customers, most of which don’t cost anything but time, training and a written policy.
Here is my top ten list related to passwords and accounts:
- Workstation admins only login to workstations. Server admins only login to servers. Domain Admins only login to domain controllers. This may mean some admins have 3 accounts, but so be it. If an end user workstation gets compromised, with malware you don’t want the bad guys pulling a domain admin password out of memory. If you don’t believe me, research ransomware such as Ryuk.
- Use MFA on everything. Not just for remote access. Not just for admins. Not just because a vendor mandates it. Get a solid MFA solution for all users, no matter where they’re logging in. For the ones that complain about using their own phone, get them a hardware token. This is more authentication than password management, but I always slip it in.
- Service account passwords are not set it and forget it. They should be rotated in a secure fashion on a regular basis. In the Windows and AD world, this can be done with group managed service accounts where services support them. This can also be orchestrated through automation and vaulting software such as systems like Hashicorp vault.
- Secrets are passwords too so treat them as such. In the cloud world, we end up with a lot of tokens and secrets that are used for seamless access to cloud services. This could be a storage account key or application secret tied to a service principal. These items need to be managed properly and stored securely. Don’t let developers commit keys to source control.
- Don’t store any token or password that displays once in a password keeper. One–time passwords are meant to be set one time.
- Implement a privileged account management solution. This is always going to be a product. I know I said process before product, but products are still necessary. Most PAM solutions support MFA, check out/check in of accounts, and automatic password rotation. At some customers I work at, I show up, check out my admin account for the day using MFA, and when I’m done for the day the password rotates. These solutions usually also support some form of service account management and password rotation.
- Reduce the number of passwords users and admins need to remember. Use federation where possible. Yes, this means one account is used for a lot of different services, but at least you can guarantee a password change on that account and force MFA on it.
- Use a solution such as LAPS to securely rotate local workstation and server administrator passwords.
- Always have a break glass account for every
- Audit. This can be as simple as running scripts against Active Directory for items such as:
- Last password change time
- Accounts with password changes disabled
- Use last logon time to determine if an account is even being used
The above recommendations are items I’ve come up with through the years of working at many customers. This list is not exhaustive of every option and recommendation the world related to passwords, but rather is meant to get you thinking about how you govern the use of passwords in your own environment.
Justin Knash is the CTO of X-Centric and specializes in security, automation, cloud, and core Microsoft and Linux infrastrcucture. Contact him via email at firstname.lastname@example.org or on Twitter at @justinknash.