How To Smoothly Implement A Strong Password PolicySuzanne Peck
Changing your company’s password policy can create a high level of apprehension for the IT department as well as management, especially when the password policy will become more restrictive for end-users. Your company’s management team will have the primary concern of how to deploy a new software tool effectively to the entire network. While your IT help desk will have a primary concern of how to implement a new tool without upsetting the end-users and causing extra work for their department. Upset end-users will create a higher volume of help desk calls, resorting to more work for the IT help desk. At nFront Security, we’re here to let you know there are ways to mitigate the level of apprehension with an effective deployment plan. If your company plans appropriately, the transition from Windows Password Complexity to a Windows Password Filter, like the nFront Password Filter, will be seamless and stress-free. It will be your easiest project of the year.
First, let’s discuss the reasons why it is important to transition from Windows Password Complexity to a Windows Password Filter.
1. Blacklist Commonly Used Passwords – Microsoft Password Complexity allows for commonly used words like Password, Summer, and Football in passwords. These are very weak words that will resort in passwords being breached. These commonly used words, along with your company name need to be prohibited from end-user passwords.
2. Meeting Compliance Standards – Microsoft Password Complexity does not have many of the requirements that are needed for compliance audits. The nFront Password Filter has one click compliance settings for certain compliance audits.
To smoothly implement a better password policy without upsetting end-users and causing unneeded stress for your IT department, here are two easy steps:
1. You will need to segment your end-users in groups and/or OUs. It is likely that you already have groups setup for file and print sharing. I would recommend segmenting based on their security level and type of account. For example, I would recommend, at a minimum, having three different OUs: privileged accounts, non-privileged accounts, and service accounts. Your privileged accounts OU will mainly consist of your IT Department who has access to your company’s network. The non-privileged accounts OU will be all other employees who do not have access to the company’s network and secure information. This OU can be split further for larger companies and is explained more in note below. Lastly, the service accounts OU is self-explanatory. All service accounts in your Active Directory should be included in this OU.
Note: If you are wanting to further segment your company’s non-privileged accounts OU, I would recommend segmenting by department. For example, you can place the Human Resources department in one OU and your Accounting department in another OU. This strategy will help deploying the nFront Password Filter more slowly and smoothly across different departments.
2. Once all groups and/or OUs have been defined, you can now begin planning for the staged deployment plan. You will want to determine which OUs will be affected by the new password policy on which date. For example, on the first week of the deployment, you will need to determine which groups and/or OUs you wish to deploy the new password policy to. Then, you will also need to determine which time interval you feel comfortable with for the next group and/or OU to be affected by the nFront Password Filter.
Here is an example plan for a school district:
August 6, 2020: Deploy the nFront Password Filter to all privileged accounts (IT Department)
August 13, 2020: Deploy the nFront Password Filter to all service accounts
August 20, 2020: Deploy the nFront Password Filter to the County Office OU
August 27, 2020: Deploy the nFront Password Filter to the Local School Administration OU
September 3, 2020: Deploy the nFront Password Filter to the Teachers OU
At this point, you will want to continue with any Groups and/or OUs that the software has not been deployed to.
The purpose of spreading out the deployment of the nFront Password Filter is to ease any stress that the new password policy might have on your company’s help desk. There will not be an overwhelming amount of calls and/or emails if there is any confusion about the new password policy.