4

I have an interesting security problem: Admins with ad access have been changing their password to the same thing, and breaching the company security policy.

User side, standard AD complicated password policy is in place (expires after x days, have to be one that isn't used, etc.), but because the have that access, they can overwrite it with a previous password.

Is there anyway of forcing admins in AD to comply to these settings? Or to have a alert trigger via something when they do?

Removing their access isn't an option unfortunately. An option could be that they can't modify their own passwords (we have admin account and user account per administrator)

Nobody NoOne
  • 143
  • 3

2 Answers2

3

Short answer: No. When a user (user A) has permission to change another user's (user B) password, they can set it to anything they want. This is effectively your scenario.

There are reasons for this. For example, AD doesn't know that (in this case) user A and user B are in fact the same person. If it presented user A a message saying that the password they were attempting to set for user B matched one of user B's previous passwords, user A then knows one of user B's previous password. The same would apply for user C or user X.

The problem then is that user A knows a previous (and potential future) AD password for this user. And outside of AD, very probably a password for any number of other systems.

The solution is to explain the policy to your admins. In theory you shouldn't be able to know that they're re-using passwords anyway, so enforcing it would be near impossible.

the alternative is to use an enterprise SSO solution with multi-factor authentication that automatically randomises user passwords periodically. But this has a cost attached, of course.

Matt
  • 1,893
  • 5
  • 28
  • 40
0

This may be possible if you implement a custom password filter on each DC: https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx

But this requires programming skills.

iPath
  • 622
  • 4
  • 11