Microsoft Identity and Access Management Series

Password Management

Chapter 1: Introduction to the Password Management Paper

Published: May 11, 2004 | Updated: June 26, 2006

Executive Summary

This paper describes several password management approaches and includes guidance on password policies and how to enable password synchronization to multiple authentication stores by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

Password management is a significant part of any solution to improve security in an organization, because weak passwords are an open opportunity for anyone with access to those systems to authenticate themselves and mount an attack on other user accounts with weak passwords.

This paper is part of the Microsoft Identity and Access Management Series.

The Business Challenge

The effects of poor password management on both an organization's security and on its financial health are well known and well documented. Attackers often gain access to sensitive data through weak or stolen passwords. Alternatively, an attacker can use accounts as a foothold within a network to launch increasingly sophisticated and dangerous intrusions into an organization's IT systems.

One or more of the following issues is typically present in organizations with poor password management practices:

•	Weak and easily breakable passwords.
•	Passwords that users are not required to change frequently enough, which means that attackers can compromise the passwords through brute force and cryptographic attacks.
•	Users who each have several passwords.
•	Passwords that have been written down, which means they can be easily compromised.
•	Repeated passwords that are not synchronized, which causes confusion and lost productivity.
•	Numerous calls to the help desk for password resets, resulting in increased operational costs.
•	Strong passwords synchronized with systems that have inferior security characteristics, which limit the value and security that strong passwords provide.

To illustrate the size of the problem, the PricewaterhouseCoopers/Meta Group Survey 2002, titled "META Group White Paper: The Value of Identity Management" found that 45 percent of help desk calls are for password resets, and that automating password reset automation reduces this call volume by approximately one-third. For an organization with 10,000 users, the survey estimates a potential annual cost savings of $648,000.

Another business challenge is regulatory compliance. Many industries now have regulations in place that require specific security controls for passwords. These controls may be subject to independent audits, and noncompliance can result in dire consequences. Strong password security is required to meet many of these regulations.

The Business Benefits

Central to any password strategy is a focus on aggregation and integration of processes and technologies into a single comprehensive identity and access management solution. An effective solution will benefit an organization by:

•	Enabling a simple and cost-effective password change solution for extranet users.
•	Simplifying the end-user password management experience by reducing the number of places where users must change their passwords.
•	Improving the overall security of IT systems.
•	Enabling better integration with business partners' systems.

Who Should Read This Paper

The audience for this paper includes security professionals, architects, technology decision makers, consultants, and senior IT planners. The paper includes configuration files and code samples that IT professionals and developers can use on their own projects.

Reader Prerequisites

Readers who want to implement the guidance in this paper must have the following:

•	A working knowledge of MIIS 2003 with SP1.
•	A good understanding of the Active Directory® directory service.
•	The ability to program in the C# or C++ languages by using the Microsoft Visual Studio® .NET 2003 development environment (to work with the code samples).

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.

Top of page

Paper Overview

This chapter introduces the paper and describes the scenarios that the paper covers. The other chapters cover the following topics:

Chapter 1: Introduction to the Password Management Paper

The introduction provides an executive summary, describes the recommended audience for the paper, and gives an overview of each chapter in the paper.

Chapter 2: Approaches to Password Management

This chapter explores different approaches to password management. It examines the options available to increase security and improve manageability.

Chapter 3: Issues and Requirements

This chapter considers the Contoso Pharmaceuticals scenario. It expands on a few of the approaches that Chapter 2 outlines by describing technical issues and requirements in greater detail.

Chapter 4: Designing the Solution

This chapter covers the design of the Contoso scenario. Based on the information in Chapter 3, it shows the components of the password management solution.

Chapter 5: Implementing the Solution

This chapter takes the design from Chapter 4 and provides step-by-step prescriptive guidance on how to implement it. Use of the Contoso identity and access management platform demonstrates how you can implement password management to increase the security and usability of your information systems.

Chapter 6: Testing the Solution

This chapter details how to test the solution that you built in Chapter 5 and presents techniques that you can use to test an identity and access management solution in your own organization.

Chapter 7: Operating the Solution

This chapter completes the paper by detailing day-to-day operational procedures for the password management solution.

Solution Scenarios

The solution scenarios in this paper provide prescriptive guidance based on how the fictitious company Contoso Pharmaceuticals has decided to handle various password management approaches. The three scenarios are:

•	Enforcement of Strong Passwords.
•	Intranet Password Management.
•	Extranet Password Management.

Enforcement of Strong Passwords

A security audit at Contoso revealed that Active Directory user accounts were not protected by a strong password policy and were not changed on a regular basis. Forcing users to create strong passwords is a cornerstone of an effective password policy.

This solution scenario provides guidance on how to establish and configure a strong password policy with Active Directory and Group Policy.

Intranet Password Management

Many Contoso users have to remember separate passwords for the different internal Contoso systems that they use on a daily basis. This leads to security issues and numerous help desk calls. Password synchronization reduces the number of passwords that users must remember, as well as the associated help desk operating expenses.

This solution scenario provides guidance on how to implement the Password Change Notification Service (PCNS) feature of MIIS 2003 with SP1. This approach enables end users to change their passwords through a familiar mechanism, by using Microsoft Windows® XP or Windows 2000 clients and the CTRL+ALT+DEL Change Password dialog box.

Extranet Password Management

Partners and vendors for Contoso call the help desk regularly to change their passwords on one or more systems because they cannot currently change their passwords over the Internet. Password changes comprise a significant percentage of all help desk requests and, consequently, represent a significant cost to the company.

This solution scenario provides guidance on how to develop a Web page for password changes and build on the password synchronization capabilities of MIIS 2003 with SP1. The scenario also provides a method to notify extranet users when their passwords are about to expire. This approach enables users to change their passwords before expiration by using a single interface, significantly reducing support costs.