When creating a user in Active Directory, there are several user account related options that can greatly enhance network security via user authentication and encryption methods. The choices range from a simple password change at first logon, to smart card support. In this post I will tell you what options are available to apply on Active directory users in a Domain environment in Windows Server 2008 and what can be the potential benefits and drawbacks of each choice. Most of these options are also available for Windows Server 2003 (Domain) users.
Open Active Directory Users And Computers from Start –> Administrative Tools –> Active Directory Users And Computers. After that, select the user that you wish to apply a duration policy on and open user properties via the right click context menu and select the Account tab. The four options visible by default include the following:
- User Must Change Password at Next Logon: This can be particularly useful when resetting a password and creating a new user. In this case the user will be prompted to change the password before being able to login for the first time. This ensures that in case of an unforeseen issue, the administrator cannot be held in suspicion of performing a malicious act. For example, employee “A” asks admin 1 to reset his/her password as it has expired. In this case admin 1 keeps the password “Wmlcloud85” and tells user A to login with this password. However, when user “A” enters this password he/she is shown a prompt to change the password. This way User “A” is forced to keep a different password at first logon. In case there is data theft or any similar issue, the admin cannot be held accountable because he did not know the new password. This is a safe way for admins to stay out of trouble.
- User Cannot Change Password: Restricts password changing by the user.
- Password Never Expires: Password is not restricted by a limit (e.g. 42 day default limit), to change password before the password expires. In other words, the password never expires.
- Store Password Using Reversible Encryption: This method uses reversible encryption when storing Active Directory passwords. It is normally not used and highly unadvised due to the security vulnerability that it creates.
As you scroll down the password options, you also get the following choices:
- Account is Disabled: This option disables the account and can be used for employees on vacation or suspension, to avoid security loopholes by making sure that no one else can use an account not currently being utilized by an employee.
- Smart Card Is Required For Interactive Logon: This options enables smart card authentication to login to a Domain account (provided a smart card system is available).
- Account is Sensitive And Cannot Be Delegated: This disables delegation of the selected user account.
- Use Kerberos DES Encryption Types For This Account: This enables Data Encryption Standard (DES) for the selected account. DES supports multiple level encryption, which includes Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit), MPPE Standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPsec) DES (40-bit), IPsec 56-bit DES, and IPsec Triple DES (3DES). At this point it is also worth mentioning that Kerberos is a computer network authentication protocol. It verifies the validity of users to ensure that only a legitimate user is logging in. In other words, it is a security system that authenticates users.
- This Account Supports Kerberos AES 128/256 bit Encryption: The Kerberos Advanced Encryption Standard (AES) (both the 128-bit and 256-bit) options are available in domain functional levels of Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. AES is an encryption algorithm that has been standardized by the National Institute of Standards and Technology (NIST).
- Do Not Require Kerberos Pre-Authentication: This method is not advised as it reduces the security level as Kerberos pre-authentication is not enabled for the selected user(s).
At the bottom of the Account tab in user properties, you can also select a time frame after which an account expires in order to ensure that a specific user (e.g. contractual employee) can no longer use his/her account after a set period of time. This can be a good measure in ensuring network security and preventing possible data theft by a departing employee.