Jeff7181
Lifer
- Aug 21, 2002
- 18,368
- 11
- 81
Almost EVERY SINGLE instance of Active Directory in existence does this. The admin can check the box that says "password never expires" on anyone's password. That is circumventing the password policy.
As for brute force; Resetting passwords IS the way of preventing brute force. It would take a computer EONS just to break the password P@$$word4231, but like was already mentioned, the password would have been changed by the time it would have been cracked by any means, whether it be rainbow charts, birthday attacks, dictionary attacks OR brute force, and be obsolete.
IMO it would be so much easier to use social engineering to gain access to a system rather than trying to gain access through a firewall or VPN solution. I'm trying to get my office to implement a "no tell" policy to prevent this very thing. If we need to work on someones machine we just ask for the password and they give it to us no questions asked. ANYONE could pose as a IT person via phone or even in person, the enterprise is big enough with enough IT contractors coming and going that someone could get access pretty easy with a flippant line like "Hey i need to correct some errors we've been seeing on your machine, give me your password and i'll take care of it later today". person will hand over the password without a second thought.
If a no tell policy was in place where we say NO ONE... not even IT, under ANY circumstances will ever ask for your password... then the same question throws a red flag up to that employee and the imposter should be outed. Sorry, tangent there...
Point is, it isn't completely pointless to change passwords in any case. The human factor is a factor with any security policy.
Active Directory may allow it, but that doesn't mean that setting shouldn't get corrected during an audit. I used to work for a company that would run multiple automated daily checks for such things, correct them and report on it. If I'm not mistaken, this sort of thing is required to be PCI compliant. That company even went a step further and would audit those type of settings changes to find out who changed it so they could take corrective action if a particular person was found to be repeatedly/knowingly changing settings that took the company out of compliance.
A no tell policy should be a given. That's a smart move to put that into place because it should have been in place already. To me, it's utterly ridiculous that anyone should tell anyone else their password for any reason. If someone needs access to someone else's account, the password should be reset to a temporary password during troubleshooting or whatever is going on, then reset again once the activity is over with. During the transition, you should test the employees, too. Ask for their password sometime and report to their boss whether or not they handed it over or not and let their boss ream them a new one if they give it up.